File name:

iTopVPN_ptblogseo825_setup.exe

Full analysis: https://app.any.run/tasks/c142018e-6da1-44b2-bf57-98dce17637b9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 02, 2024, 01:08:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

53DFA0458A10792560BC47237D3868AB

SHA1:

B76BD48819CE184CF7BB70CAB7B60D8762172660

SHA256:

DA6611A4625EE6F0381D3F44F5B297543E20334F16570CC93A069AB60DC5F14E

SSDEEP:

196608:2PooTASKRru6HxwjQ7Gsr3mBiivY7V30QI9/j7hw0NJE0q/QSVqv:2PtTADRrxyQ7GsrWBq3nC/jFwGE0qoSy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs injected code in another process

      • icop64.exe (PID: 7040)

    • Application was injected by another process

      • explorer.exe (PID: 4552)

    • Actions looks like stealing of personal data

      • iTopVPN.exe (PID: 6236)

    • Steals credentials from Web Browsers

      • iTopVPN.exe (PID: 6236)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • iTopVPN_ptblogseo825_setup.exe (PID: 3984)
      • iTopVPN_ptblogseo825_setup.exe (PID: 1608)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.exe (PID: 3844)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)

    • Executable content was dropped or overwritten

      • iTopVPN_ptblogseo825_setup.exe (PID: 3984)
      • iTopVPN_ptblogseo825_setup.exe (PID: 1608)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.exe (PID: 3844)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)

    • Reads security settings of Internet Explorer

      • iTopVPN_ptblogseo825_setup.tmp (PID: 7144)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)
      • Setup.exe (PID: 2576)
      • iTopVPN.exe (PID: 6236)

    • Reads the date of Windows installation

      • iTopVPN_ptblogseo825_setup.tmp (PID: 7144)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)
      • Setup.exe (PID: 2576)
      • iTopVPN.exe (PID: 6236)

    • Reads the Windows owner or organization settings

      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)

    • Process drops legitimate windows executable

      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)

    • Checks for external IP

      • ugin.exe (PID: 872)
      • svchost.exe (PID: 2256)
      • Setup.exe (PID: 2576)
      • unpr.exe (PID: 6928)

    • Uses TASKKILL.EXE to kill process

      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)

    • Process drops SQLite DLL files

      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)

    • Drops a system driver (possible attempt to evade defenses)

      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)

    • Starts CMD.EXE for commands execution

      • ugin.exe (PID: 6712)
      • iTopVPN.exe (PID: 6236)

    • Application launched itself

      • ugin.exe (PID: 6712)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 6856)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 6100)

    • Searches for installed software

      • iTopVPN.exe (PID: 6236)

    • The process verifies whether the antivirus software is installed

      • iTopVPN.exe (PID: 6236)

  • INFO

    • Create files in a temporary directory

      • iTopVPN_ptblogseo825_setup.exe (PID: 3984)
      • iTopVPN_ptblogseo825_setup.exe (PID: 1608)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • Setup.exe (PID: 2576)
      • iTopVPN_ptblogseo825_setup.exe (PID: 3844)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • explorer.exe (PID: 4552)
      • icop64.exe (PID: 7040)
      • SecEdit.exe (PID: 3728)
      • SecEdit.exe (PID: 1440)
      • iTopVPN.exe (PID: 6236)

    • Reads the computer name

      • iTopVPN_ptblogseo825_setup.tmp (PID: 7144)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • ugin.exe (PID: 872)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • Setup.exe (PID: 2576)
      • ugin.exe (PID: 1964)
      • ugin.exe (PID: 2024)
      • ugin.exe (PID: 4820)
      • ugin.exe (PID: 6712)
      • iTopVPN.exe (PID: 6992)
      • ugin.exe (PID: 6248)
      • ugin.exe (PID: 6408)
      • unpr.exe (PID: 6928)
      • ugin.exe (PID: 1748)
      • iTopVPN.exe (PID: 6236)
      • iTopDownloader.exe (PID: 6840)
      • aud.exe (PID: 1688)
      • aud.exe (PID: 6004)
      • atud.exe (PID: 4040)
      • iTopVPNMini.exe (PID: 6776)

    • Checks supported languages

      • iTopVPN_ptblogseo825_setup.tmp (PID: 7144)
      • iTopVPN_ptblogseo825_setup.exe (PID: 3984)
      • iTopVPN_ptblogseo825_setup.exe (PID: 1608)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • ugin.exe (PID: 872)
      • Setup.exe (PID: 2576)
      • iTopVPN_ptblogseo825_setup.exe (PID: 3844)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 1964)
      • ugin.exe (PID: 2024)
      • ugin.exe (PID: 4820)
      • ugin.exe (PID: 6712)
      • icop64.exe (PID: 7040)
      • ullc.exe (PID: 2612)
      • iTopVPN.exe (PID: 6992)
      • ugin.exe (PID: 6408)
      • unpr.exe (PID: 6928)
      • ugin.exe (PID: 6248)
      • ugin.exe (PID: 1748)
      • iTopVPN.exe (PID: 6236)
      • iTopDownloader.exe (PID: 6840)
      • atud.exe (PID: 4040)
      • iTopVPNMini.exe (PID: 6776)
      • aud.exe (PID: 1688)
      • aud.exe (PID: 6004)

    • Process checks computer location settings

      • iTopVPN_ptblogseo825_setup.tmp (PID: 7144)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)
      • Setup.exe (PID: 2576)
      • iTopVPN.exe (PID: 6236)

    • Creates files in the program directory

      • ugin.exe (PID: 872)
      • Setup.exe (PID: 2576)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • iTopVPN.exe (PID: 6992)
      • ugin.exe (PID: 6712)
      • unpr.exe (PID: 6928)
      • ugin.exe (PID: 1748)
      • iTopDownloader.exe (PID: 6840)
      • atud.exe (PID: 4040)
      • iTopVPN.exe (PID: 6236)

    • Creates files or folders in the user directory

      • ugin.exe (PID: 872)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • iTopVPN.exe (PID: 6992)
      • explorer.exe (PID: 4552)
      • iTopVPN.exe (PID: 6236)
      • atud.exe (PID: 4040)
      • iTopVPNMini.exe (PID: 6776)

    • Reads the machine GUID from the registry

      • ugin.exe (PID: 872)
      • Setup.exe (PID: 2576)
      • ugin.exe (PID: 6712)
      • icop64.exe (PID: 7040)
      • unpr.exe (PID: 6928)
      • iTopVPN.exe (PID: 6236)
      • iTopDownloader.exe (PID: 6840)
      • aud.exe (PID: 1688)
      • atud.exe (PID: 4040)
      • aud.exe (PID: 6004)
      • iTopVPNMini.exe (PID: 6776)

    • The process uses the downloaded file

      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)
      • Setup.exe (PID: 2576)
      • iTopVPN.exe (PID: 6236)

    • Creates a software uninstall entry

      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4552)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 4552)

    • Disables trace logs

      • netsh.exe (PID: 5644)

    • Process checks Internet Explorer phishing filters

      • iTopVPN.exe (PID: 6236)

    • Process checks whether UAC notifications are on

      • iTopVPN.exe (PID: 6236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.6)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.9)
.exe | DOS Executable Generic (18.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:07:16 13:24:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 65024
InitializedDataSize: 75264
UninitializedDataSize: -
EntryPoint: 0x113bc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.0.0.5688
ProductVersionNumber: 6.0.0.5688
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: iTop Inc.
FileDescription: iTop VPN
FileVersion: 6.0.0.5688
LegalCopyright: © iTop Inc. All rights reserved.
ProductName: iTopVPN
ProductVersion: 6.0.0.5688
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
57
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start itopvpn_ptblogseo825_setup.exe itopvpn_ptblogseo825_setup.tmp no specs itopvpn_ptblogseo825_setup.exe itopvpn_ptblogseo825_setup.tmp ugin.exe svchost.exe setup.exe itopvpn_ptblogseo825_setup.exe itopvpn_ptblogseo825_setup.tmp ugin.exe no specs taskkill.exe no specs conhost.exe no specs ugin.exe no specs ugin.exe no specs ullc.exe conhost.exe no specs itopvpn.exe ugin.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs icop64.exe ugin.exe no specs ugin.exe no specs unpr.exe ugin.exe no specs itopdownloader.exe itopvpn.exe atud.exe aud.exe aud.exe cmd.exe no specs conhost.exe no specs ipconfig.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs itopvpnmini.exe secedit.exe no specs conhost.exe no specs secedit.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
448cmd.exe /c sc delete windivertC:\Windows\SysWOW64\cmd.exeugin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
872"C:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\ugin.exe" /InitTop /install /ver 6.0.0.5688 /inspkg "C:\Users\admin\Desktop\iTopVPN_ptblogseo825_setup.exe"C:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\ugin.exe
iTopVPN_ptblogseo825_setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5677
Modules
Images
c:\users\admin\appdata\local\temp\is-rnsf8.tmp\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
940\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1432sc delete windivertC:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1440secedit /export /cfg C:\Users\admin\AppData\Local\Temp\3353.inf /log C:\Users\admin\AppData\Local\Temp\4498.logC:\Windows\System32\SecEdit.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Security Configuration Editor Command Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\secedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\scecli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1608"C:\Users\admin\Desktop\iTopVPN_ptblogseo825_setup.exe" /SPAWNWND=$150378 /NOTIFYWND=$903A4 C:\Users\admin\Desktop\iTopVPN_ptblogseo825_setup.exe
iTopVPN_ptblogseo825_setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5688
Modules
Images
c:\users\admin\desktop\itopvpn_ptblogseo825_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1688"C:\Program Files (x86)\iTop VPN\aud.exe" /itop /dayactiveC:\Program Files (x86)\iTop VPN\aud.exe
iTopVPN.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5378
Modules
Images
c:\program files (x86)\itop vpn\aud.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1748"C:\Program Files (x86)\iTop VPN\ugin.exe" /combinslog "C:\Users\admin\AppData\Local\Temp\Setup Log 2024-09-02 #002.txt"C:\Program Files (x86)\iTop VPN\ugin.exeiTopVPN_ptblogseo825_setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5677
Modules
Images
c:\program files (x86)\itop vpn\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1964"C:\Users\admin\AppData\Local\Temp\is-9CVNE.tmp\ugin.exe" /killC:\Users\admin\AppData\Local\Temp\is-9CVNE.tmp\ugin.exeiTopVPN_ptblogseo825_setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5677
Modules
Images
c:\users\admin\appdata\local\temp\is-9cvne.tmp\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2024"C:\Program Files (x86)\iTop VPN\ugin.exe" /kill /updagradeC:\Program Files (x86)\iTop VPN\ugin.exeiTopVPN_ptblogseo825_setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5677
Modules
Images
c:\program files (x86)\itop vpn\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
31 917
Read events
31 774
Write events
127
Delete events
16

Modification events

(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000604DA
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000006039C
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000007026A
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000007026A
Operation:delete keyName:(default)
Value:
(PID) Process:(6956) iTopVPN_ptblogseo825_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6956) iTopVPN_ptblogseo825_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6956) iTopVPN_ptblogseo825_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6956) iTopVPN_ptblogseo825_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000008026A
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000008026A
Operation:delete keyName:(default)
Value:
Executable files
86
Suspicious files
55
Text files
229
Unknown types
4

Dropped files

PID
Process
Filename
Type
6956iTopVPN_ptblogseo825_setup.tmpC:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
1608iTopVPN_ptblogseo825_setup.exeC:\Users\admin\AppData\Local\Temp\is-JQDJM.tmp\iTopVPN_ptblogseo825_setup.tmpexecutable
MD5:7F7631A8B8EA62BEED1E127167CCCB2E
SHA256:E6B2ACD0738623318F2A5A0AF0318B069623FC3455339643DA45B67A148C7C96
4552explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
6956iTopVPN_ptblogseo825_setup.tmpC:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\iTopInstaller.exeexecutable
MD5:CC419F37B6831A860130B2C48787DC89
SHA256:64D195E8CE6FEC9FF3729BA68B9D14DFE2B07C29786CAB08FCE1370AFE3BFD2D
3984iTopVPN_ptblogseo825_setup.exeC:\Users\admin\AppData\Local\Temp\is-AN505.tmp\iTopVPN_ptblogseo825_setup.tmpexecutable
MD5:7F7631A8B8EA62BEED1E127167CCCB2E
SHA256:E6B2ACD0738623318F2A5A0AF0318B069623FC3455339643DA45B67A148C7C96
872ugin.exeC:\Users\admin\AppData\Roaming\iTop VPN\log\ugin.datbinary
MD5:1FAAB046265640A58E062811E05CC444
SHA256:1080E571C7A545B65AD9713CC5FB2DED07F8787104552E5D890BE0DDD0F767DF
6956iTopVPN_ptblogseo825_setup.tmpC:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\libcrypto-1_1.dllexecutable
MD5:153E591BE14112032056763FF4989A09
SHA256:E0AD8F26D4E6FE47347FBF0FCE1875E4A4FD7F3B923647548D3FC6F815AF2D6A
6956iTopVPN_ptblogseo825_setup.tmpC:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\winid.dattext
MD5:1A3221FC31DCCB79171C8D028B5D33F9
SHA256:5A63097DA5E0D08B47D0CAF1DB6D72C24B8A45617537C62238E89C1EF71F610F
6956iTopVPN_ptblogseo825_setup.tmpC:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
6956iTopVPN_ptblogseo825_setup.tmpC:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\ugin.exeexecutable
MD5:5F225FC6E5779334CBCB2CD76B858320
SHA256:C8E0D36C90AA279AC086EFB206592A417612AA8F9F46E20DCEE9F4E2117159A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
174
TCP/UDP connections
188
DNS requests
13
Threats
181

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6928
unpr.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
shared
872
ugin.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
shared
2576
Setup.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
shared
POST
200
3.229.82.147:443
https://stats.itopvpn.com/usage_v2.php
unknown
text
4 b
GET
200
52.71.107.83:443
https://interface.iobit.com/ac/geturl.php?getid=reco_isr
unknown
binary
173 b
GET
200
152.199.23.214:443
https://update.itopvpn.com/infofiles/itop/freeware.upt
unknown
ini
9.99 Kb
POST
200
52.1.82.23:443
https://stats.itopvpn.com/install.php
unknown
text
19 b
GET
200
152.199.23.214:443
https://update.itopvpn.com/infofiles/itop/update-freef6.upt
unknown
binary
5.25 Kb
GET
200
152.199.23.214:443
https://update.itopvpn.com/infofiles/itop/itopfinstaller.zlb
unknown
binary
195 Kb
GET
206
152.199.23.214:443
https://update.itopvpn.com/infofiles/itop/itopfinstaller.zlb
unknown
binary
48.7 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
872
ugin.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
872
ugin.exe
152.199.23.214:443
update.itopvpn.com
EDGECAST
US
malicious
2576
Setup.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
2576
Setup.exe
152.199.23.214:443
update.itopvpn.com
EDGECAST
US
malicious
2576
Setup.exe
152.199.20.140:443
update.iobit.com
EDGECAST
US
whitelisted
2576
Setup.exe
52.1.82.23:443
stats.itopvpn.com
AMAZON-AES
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ip-api.com
  • 208.95.112.1
shared
update.itopvpn.com
  • 152.199.23.214
malicious
update.iobit.com
  • 152.199.20.140
whitelisted
stats.itopvpn.com
  • 52.1.82.23
  • 3.229.82.147
malicious
interface.iobit.com
  • 54.167.187.36
  • 52.71.107.83
unknown
api.itopvpn.com
  • 13.248.190.80
  • 76.223.44.67
malicious
s3.amazonaws.com
  • 16.182.97.16
  • 54.231.198.168
  • 16.15.193.246
  • 52.217.205.64
  • 52.217.4.78
  • 54.231.234.200
  • 52.217.227.144
  • 52.216.213.152
shared
update.downloaditop.com
  • 152.199.23.214
unknown

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
872
ugin.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
872
ugin.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2576
Setup.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2576
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Process
Message
Setup.exe
time1
Setup.exe
doFinshedEvent_Freeware 0
Setup.exe
time3
Setup.exe
Success
Setup.exe
Order: isr
Setup.exe
ProductVersion: 6.0.0.5688
Setup.exe
Chk_ver_min
Setup.exe
Chk_ver_max
Setup.exe
CheckSameVerList
Setup.exe
CheckLicense
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
iTopVPN_ptblogseo825_setup.exe