Malware analysis advanced-systemcare-free-3.7.2.exe Malicious activity

Add for printing

File name:	advanced-systemcare-free-3.7.2.exe
Full analysis:	https://app.any.run/tasks/a13d542b-27a0-46a1-8799-b36941866480
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 11, 2025, 15:10:02
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	delphi inno installer loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:	118094385CDBC55A1A8B478881109200
SHA1:	10CAEBA9570FD68A523026E99B164696E0B44ABF
SHA256:	CE4E5BFC1BB836184ECB93D0889F6DD3DEA0DBECEDD257BE4D32AAB0424467EC
SSDEEP:	98304:YTdmKQRbPz4BUJm3qD1MVevueMTjDal5BHOPFK1ktU0esz+AE59aHkxSwuDaDfRU:7cOSjV4OxHrSPmzsPW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - advanced-systemcare-free-3.7.2.exe (PID: 7560)
  - Aup.exe (PID: 7812)
  - AWCInit.exe (PID: 1280)
  - AWCInit.exe (PID: 2136)
  - Wizard.exe (PID: 2516)
  - ContextMenu.exe (PID: 5892)
  - AWC.exe (PID: 6272)
  - Sut_RestoreCenter.exe (PID: 6540)
  - IObitUpdate.exe (PID: 4164)
- Changes the autorun value in the registry
  - AWCInit.exe (PID: 1280)
SUSPICIOUS
- Executable content was dropped or overwritten
  - advanced-systemcare-free-3.7.2.exe (PID: 7560)
  - advanced-systemcare-free-3.7.2.exe (PID: 7720)
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
- Reads security settings of Internet Explorer
  - advanced-systemcare-free-3.7.2.tmp (PID: 7580)
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
  - Wizard.exe (PID: 2516)
  - AWCInit.exe (PID: 1280)
  - AWC.exe (PID: 6272)
  - IObitUpdate.exe (PID: 4164)
- Reads the Windows owner or organization settings
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
- Process drops legitimate windows executable
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
- Creates or modifies Windows services
  - AWCInit.exe (PID: 1280)
- Executes as Windows Service
  - VSSVC.exe (PID: 5640)
- Reads Microsoft Outlook installation path
  - AWC.exe (PID: 6272)
  - IObitUpdate.exe (PID: 4164)
- Reads Internet Explorer settings
  - AWC.exe (PID: 6272)
  - IObitUpdate.exe (PID: 4164)
- Searches for installed software
  - dllhost.exe (PID: 4892)
- There is functionality for taking screenshot (YARA)
  - Sut_RestoreCenter.exe (PID: 6540)
  - AWC.exe (PID: 6272)
- Process requests binary or script from the Internet
  - IObitUpdate.exe (PID: 4164)
  - AWC.exe (PID: 6272)
INFO
- Checks supported languages
  - advanced-systemcare-free-3.7.2.tmp (PID: 7580)
  - advanced-systemcare-free-3.7.2.exe (PID: 7560)
  - advanced-systemcare-free-3.7.2.exe (PID: 7720)
  - Aup.exe (PID: 7812)
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
  - AWCInit.exe (PID: 2136)
  - Wizard.exe (PID: 2516)
  - AWCInit.exe (PID: 1280)
  - ContextMenu.exe (PID: 5892)
  - AWC.exe (PID: 6272)
  - Sut_RestoreCenter.exe (PID: 6540)
  - IObitUpdate.exe (PID: 4164)
- Create files in a temporary directory
  - advanced-systemcare-free-3.7.2.exe (PID: 7560)
  - advanced-systemcare-free-3.7.2.exe (PID: 7720)
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
- Reads the computer name
  - advanced-systemcare-free-3.7.2.tmp (PID: 7580)
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
  - Wizard.exe (PID: 2516)
  - AWCInit.exe (PID: 1280)
  - Sut_RestoreCenter.exe (PID: 6540)
  - AWC.exe (PID: 6272)
  - IObitUpdate.exe (PID: 4164)
- Compiled with Borland Delphi (YARA)
  - advanced-systemcare-free-3.7.2.exe (PID: 7560)
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
  - advanced-systemcare-free-3.7.2.tmp (PID: 7580)
  - advanced-systemcare-free-3.7.2.exe (PID: 7720)
  - Sut_RestoreCenter.exe (PID: 6540)
  - AWC.exe (PID: 6272)
- Detects InnoSetup installer (YARA)
  - advanced-systemcare-free-3.7.2.exe (PID: 7560)
  - advanced-systemcare-free-3.7.2.tmp (PID: 7580)
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
  - advanced-systemcare-free-3.7.2.exe (PID: 7720)
- Process checks computer location settings
  - advanced-systemcare-free-3.7.2.tmp (PID: 7580)
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
  - Wizard.exe (PID: 2516)
  - AWCInit.exe (PID: 1280)
  - AWC.exe (PID: 6272)
- The sample compiled with english language support
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
- Creates files or folders in the user directory
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
  - Sut_RestoreCenter.exe (PID: 6540)
  - AWC.exe (PID: 6272)
  - IObitUpdate.exe (PID: 4164)
- Creates files in the program directory
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
  - AWC.exe (PID: 6272)
  - IObitUpdate.exe (PID: 4164)
- The sample compiled with chinese language support
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
- Creates a software uninstall entry
  - advanced-systemcare-free-3.7.2.tmp (PID: 7752)
- Checks proxy server information
  - Wizard.exe (PID: 2516)
  - AWC.exe (PID: 6272)
  - IObitUpdate.exe (PID: 4164)
- Manages system restore points
  - SrTasks.exe (PID: 7884)
- Reads the software policy settings
  - AWC.exe (PID: 6272)
  - IObitUpdate.exe (PID: 4164)
  - slui.exe (PID: 7680)
- Reads the machine GUID from the registry
  - IObitUpdate.exe (PID: 4164)
  - AWC.exe (PID: 6272)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (77.7)
.exe	\|	Win32 Executable Delphi generic (10)
.dll	\|	Win32 Dynamic Link Library (generic) (4.6)
.exe	\|	Win32 Executable (generic) (3.1)
.exe	\|	Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2010:04:10 16:57:59+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	87040
InitializedDataSize:	71680
UninitializedDataSize:	-
EntryPoint:	0x163c4
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	3.7.0.0
ProductVersionNumber:	3.7.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	IObit
FileDescription:	Advanced SystemCare 3
FileVersion:	3.7.0
LegalCopyright:	Copyright© 2005-2010
ProductName:	Advanced SystemCare 3
ProductVersion:	3.7.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

154

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1280

"C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWCInit.exe" /install /s

C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWCInit.exe

Wizard.exe

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Advanced SystemCare Init

Exit code:

Version:

1.0.0.108

Modules

Images
c:\program files (x86)\iobit\advanced systemcare 3\awcinit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

2136

"C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWCInit.exe" /check /s

C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWCInit.exe

—

advanced-systemcare-free-3.7.2.tmp

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Advanced SystemCare Init

Exit code:

Version:

1.0.0.108

Modules

Images
c:\program files (x86)\iobit\advanced systemcare 3\awcinit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

2516

"C:\Program Files (x86)\IObit\Advanced SystemCare 3\Wizard.exe" /personal

C:\Program Files (x86)\IObit\Advanced SystemCare 3\Wizard.exe

—

advanced-systemcare-free-3.7.2.tmp

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Wizard

Exit code:

Version:

1.0.0.56

Modules

Images
c:\program files (x86)\iobit\advanced systemcare 3\wizard.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

4164

"C:\Program Files (x86)\IObit\Advanced SystemCare 3\IObitUpdate.exe" /auto

C:\Program Files (x86)\IObit\Advanced SystemCare 3\IObitUpdate.exe

AWC.exe

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

IObit Live Update

Exit code:

Version:

1.1.0.261

Modules

Images
c:\program files (x86)\iobit\advanced systemcare 3\iobitupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

4892

C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

COM Surrogate

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

5640

C:\WINDOWS\system32\vssvc.exe

C:\Windows\System32\VSSVC.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5892

"C:\Program Files (x86)\IObit\Advanced SystemCare 3\ContextMenu.exe" /shell /3

C:\Program Files (x86)\IObit\Advanced SystemCare 3\ContextMenu.exe

—

AWCInit.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files (x86)\iobit\advanced systemcare 3\contextmenu.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

6272

"C:\Program Files (x86)\IObit\Advanced SystemCare 3\Awc.exe" /firstscan

C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe

Wizard.exe

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Advanced SystemCare 3

Version:

3.7.0.721

Modules

Images
c:\program files (x86)\iobit\advanced systemcare 3\awc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6540

"C:\Program Files (x86)\IObit\Advanced SystemCare 3\Sut_RestoreCenter.exe" /Create

C:\Program Files (x86)\IObit\Advanced SystemCare 3\Sut_RestoreCenter.exe

—

AWC.exe

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Restore Center

Exit code:

Version:

1.0.3.120

Modules

Images
c:\program files (x86)\iobit\advanced systemcare 3\sut_restorecenter.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

7560

"C:\Users\admin\AppData\Local\Temp\advanced-systemcare-free-3.7.2.exe"

C:\Users\admin\AppData\Local\Temp\advanced-systemcare-free-3.7.2.exe

explorer.exe

User:

admin

Company:

IObit

Integrity Level:

MEDIUM

Description:

Advanced SystemCare 3

Exit code:

Version:

3.7.0

Modules

Images
c:\users\admin\appdata\local\temp\advanced-systemcare-free-3.7.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

Add for printing

Total events

8 489

Read events

8 250

Write events

221

Delete events

Modification events


(PID) Process:	(7752) advanced-systemcare-free-3.7.2.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\IObit\Advanced SystemCare 3
Operation:	write	Name:	ref
Value: asc
(PID) Process:	(7752) advanced-systemcare-free-3.7.2.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\IObit\Advanced SystemCare 3
Operation:	write	Name:	aff
Value:
(PID) Process:	(7752) advanced-systemcare-free-3.7.2.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced SystemCare 3_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 5.3.9 (u)
(PID) Process:	(7752) advanced-systemcare-free-3.7.2.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced SystemCare 3_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Program Files (x86)\IObit\Advanced SystemCare 3
(PID) Process:	(7752) advanced-systemcare-free-3.7.2.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced SystemCare 3_is1
Operation:	write	Name:	InstallLocation
Value: C:\Program Files (x86)\IObit\Advanced SystemCare 3\
(PID) Process:	(7752) advanced-systemcare-free-3.7.2.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced SystemCare 3_is1
Operation:	write	Name:	Inno Setup: Icon Group
Value: Advanced SystemCare 3
(PID) Process:	(7752) advanced-systemcare-free-3.7.2.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced SystemCare 3_is1
Operation:	write	Name:	Inno Setup: User
Value: admin
(PID) Process:	(7752) advanced-systemcare-free-3.7.2.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced SystemCare 3_is1
Operation:	write	Name:	Inno Setup: Selected Tasks
Value: desktopicon,quicklaunchicon,favtopicon
(PID) Process:	(7752) advanced-systemcare-free-3.7.2.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced SystemCare 3_is1
Operation:	write	Name:	Inno Setup: Deselected Tasks
Value:
(PID) Process:	(7752) advanced-systemcare-free-3.7.2.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced SystemCare 3_is1
Operation:	write	Name:	Inno Setup: Language
Value: english

Add for printing

Executable files

147

Suspicious files

388

Text files

267

Unknown types

Dropped files

PID	Process	Filename		Type
7720	advanced-systemcare-free-3.7.2.exe	C:\Users\admin\AppData\Local\Temp\is-0PE37.tmp\advanced-systemcare-free-3.7.2.tmp		executable
		MD5:FD4FFDF2593A68595BEEBFC95733E660	SHA256:150CDC08F8BE4114D4E6AFCD396DD41ACCA7A8515D529E9B57A32CE0B26B4D75
7560	advanced-systemcare-free-3.7.2.exe	C:\Users\admin\AppData\Local\Temp\is-6992P.tmp\advanced-systemcare-free-3.7.2.tmp		executable
		MD5:FD4FFDF2593A68595BEEBFC95733E660	SHA256:150CDC08F8BE4114D4E6AFCD396DD41ACCA7A8515D529E9B57A32CE0B26B4D75
7752	advanced-systemcare-free-3.7.2.tmp	C:\Users\admin\AppData\Local\Temp\is-HMLN3.tmp\_isetup\_shfoldr.dll		executable
		MD5:92DC6EF532FBB4A5C3201469A5B5EB63	SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
7752	advanced-systemcare-free-3.7.2.tmp	C:\Users\admin\AppData\Local\Temp\is-HMLN3.tmp\_isetup\_setup64.tmp		executable
		MD5:4FF75F505FDDCC6A9AE62216446205D9	SHA256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
7752	advanced-systemcare-free-3.7.2.tmp	C:\Program Files (x86)\IObit\Advanced SystemCare 3\Language\is-BNTTG.tmp		binary
		MD5:DE6859956599DEF81A73749B39BBF5E4	SHA256:30622EB3453FF96C6E5F8323C8E4B320051F255B98D6805ADC153EDF8046DD3F
7752	advanced-systemcare-free-3.7.2.tmp	C:\Program Files (x86)\IObit\Advanced SystemCare 3\unins000.exe		executable
		MD5:6FF2072420B0FDA83807D1723090BF89	SHA256:8F35D72B8957DADF6F56803DA67939C30CECBA3C7959BF490539491F2BE2DF67
7752	advanced-systemcare-free-3.7.2.tmp	C:\Program Files (x86)\IObit\Advanced SystemCare 3\is-TBCD3.tmp		executable
		MD5:6FF2072420B0FDA83807D1723090BF89	SHA256:8F35D72B8957DADF6F56803DA67939C30CECBA3C7959BF490539491F2BE2DF67
7752	advanced-systemcare-free-3.7.2.tmp	C:\Users\admin\AppData\Local\Temp\is-HMLN3.tmp\Aup.exe		executable
		MD5:E8C29A50C00D60E6404334CB36E1B93F	SHA256:40CE82A80C1B6650CFBAA3EDC30CFFFE5DBCED40B40DDE95EA6611BAE48D6A71
7752	advanced-systemcare-free-3.7.2.tmp	C:\Program Files (x86)\IObit\Advanced SystemCare 3\is-5CB92.tmp		executable
		MD5:FAF3D2062FACB9E76B010C40FC264119	SHA256:755461212266636D4E77BBFA65B01726B50E9986DD6BB27DCDFE8936E7BA26CE
7752	advanced-systemcare-free-3.7.2.tmp	C:\Program Files (x86)\IObit\Advanced SystemCare 3\vclx70.bpl		executable
		MD5:FAF3D2062FACB9E76B010C40FC264119	SHA256:755461212266636D4E77BBFA65B01726B50E9986DD6BB27DCDFE8936E7BA26CE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

119

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5072	SIHClient.exe	GET	200	173.223.117.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5072	SIHClient.exe	GET	200	173.223.117.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6272	AWC.exe	GET	200	2.22.242.10:80	http://update.iobit.com/infofiles/awc3check.upt	unknown	—	—	whitelisted
6272	AWC.exe	GET	200	3.222.52.102:80	http://www.iobit.com/en/advancedsystemcarefree.php	unknown	—	—	whitelisted
4164	IObitUpdate.exe	GET	200	2.22.242.10:80	http://update.iobit.com/infofiles/awc3update.upt	unknown	—	—	whitelisted
6272	AWC.exe	GET	200	3.222.52.102:80	http://www.iobit.com/tpl/styles/font-awesome.css	unknown	—	—	whitelisted
6272	AWC.exe	GET	200	3.222.52.102:80	http://www.iobit.com/tpl/styles/global.css?t=1705029027361	unknown	—	—	whitelisted
6272	AWC.exe	GET	200	142.250.185.131:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
2112	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.19.11.120 2.19.11.105	whitelisted
google.com	142.250.186.78	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	20.190.160.130 20.190.160.65 40.126.32.134 40.126.32.138 20.190.160.2 20.190.160.14 40.126.32.72 40.126.32.74	whitelisted
ocsp.digicert.com	184.30.131.245 2.23.77.188	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
www.microsoft.com	173.223.117.131	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
go.microsoft.com	95.100.186.9	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

advanced-systemcare-free-3.7.2.exe

118094385CDBC55A1A8B478881109200

10CAEBA9570FD68A523026E99B164696E0B44ABF

CE4E5BFC1BB836184ECB93D0889F6DD3DEA0DBECEDD257BE4D32AAB0424467EC

98304:YTdmKQRbPz4BUJm3qD1MVevueMTjDal5BHOPFK1ktU0esz+AE59aHkxSwuDaDfRU:7cOSjV4OxHrSPmzsPW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Creates or modifies Windows services

Executes as Windows Service

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Searches for installed software

There is functionality for taking screenshot (YARA)

Process requests binary or script from the Internet

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Compiled with Borland Delphi (YARA)

Detects InnoSetup installer (YARA)

Process checks computer location settings

The sample compiled with english language support

Creates files or folders in the user directory

Creates files in the program directory

The sample compiled with chinese language support

Creates a software uninstall entry

Checks proxy server information

Manages system restore points

Reads the software policy settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests