File name:

iTopVPN_ptblogseo825_setup.exe

Full analysis: https://app.any.run/tasks/c142018e-6da1-44b2-bf57-98dce17637b9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 02, 2024, 01:08:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

53DFA0458A10792560BC47237D3868AB

SHA1:

B76BD48819CE184CF7BB70CAB7B60D8762172660

SHA256:

DA6611A4625EE6F0381D3F44F5B297543E20334F16570CC93A069AB60DC5F14E

SSDEEP:

196608:2PooTASKRru6HxwjQ7Gsr3mBiivY7V30QI9/j7hw0NJE0q/QSVqv:2PtTADRrxyQ7GsrWBq3nC/jFwGE0qoSy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • explorer.exe (PID: 4552)

    • Runs injected code in another process

      • icop64.exe (PID: 7040)

    • Steals credentials from Web Browsers

      • iTopVPN.exe (PID: 6236)

    • Actions looks like stealing of personal data

      • iTopVPN.exe (PID: 6236)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • iTopVPN_ptblogseo825_setup.exe (PID: 3984)
      • iTopVPN_ptblogseo825_setup.exe (PID: 1608)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.exe (PID: 3844)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)

    • Reads security settings of Internet Explorer

      • iTopVPN_ptblogseo825_setup.tmp (PID: 7144)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)
      • Setup.exe (PID: 2576)
      • iTopVPN.exe (PID: 6236)

    • Executable content was dropped or overwritten

      • iTopVPN_ptblogseo825_setup.exe (PID: 3984)
      • iTopVPN_ptblogseo825_setup.exe (PID: 1608)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.exe (PID: 3844)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)

    • Reads the date of Windows installation

      • iTopVPN_ptblogseo825_setup.tmp (PID: 7144)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)
      • Setup.exe (PID: 2576)
      • iTopVPN.exe (PID: 6236)

    • Process drops legitimate windows executable

      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)

    • Reads the Windows owner or organization settings

      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • ugin.exe (PID: 872)
      • Setup.exe (PID: 2576)
      • unpr.exe (PID: 6928)

    • Uses TASKKILL.EXE to kill process

      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)

    • Drops a system driver (possible attempt to evade defenses)

      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)

    • Process drops SQLite DLL files

      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)

    • Starts CMD.EXE for commands execution

      • ugin.exe (PID: 6712)
      • iTopVPN.exe (PID: 6236)

    • Application launched itself

      • ugin.exe (PID: 6712)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 6856)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 6100)

    • Searches for installed software

      • iTopVPN.exe (PID: 6236)

    • The process verifies whether the antivirus software is installed

      • iTopVPN.exe (PID: 6236)

  • INFO

    • Checks supported languages

      • iTopVPN_ptblogseo825_setup.exe (PID: 3984)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 7144)
      • iTopVPN_ptblogseo825_setup.exe (PID: 1608)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • ugin.exe (PID: 872)
      • Setup.exe (PID: 2576)
      • iTopVPN_ptblogseo825_setup.exe (PID: 3844)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 1964)
      • ugin.exe (PID: 2024)
      • iTopVPN.exe (PID: 6992)
      • ugin.exe (PID: 6712)
      • ugin.exe (PID: 4820)
      • ullc.exe (PID: 2612)
      • icop64.exe (PID: 7040)
      • ugin.exe (PID: 6408)
      • ugin.exe (PID: 6248)
      • unpr.exe (PID: 6928)
      • ugin.exe (PID: 1748)
      • iTopDownloader.exe (PID: 6840)
      • iTopVPN.exe (PID: 6236)
      • aud.exe (PID: 1688)
      • aud.exe (PID: 6004)
      • iTopVPNMini.exe (PID: 6776)
      • atud.exe (PID: 4040)

    • Create files in a temporary directory

      • iTopVPN_ptblogseo825_setup.exe (PID: 3984)
      • iTopVPN_ptblogseo825_setup.exe (PID: 1608)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • Setup.exe (PID: 2576)
      • iTopVPN_ptblogseo825_setup.exe (PID: 3844)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • icop64.exe (PID: 7040)
      • explorer.exe (PID: 4552)
      • SecEdit.exe (PID: 1440)
      • SecEdit.exe (PID: 3728)
      • iTopVPN.exe (PID: 6236)

    • Reads the computer name

      • iTopVPN_ptblogseo825_setup.tmp (PID: 7144)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • ugin.exe (PID: 872)
      • Setup.exe (PID: 2576)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 1964)
      • ugin.exe (PID: 2024)
      • ugin.exe (PID: 4820)
      • iTopVPN.exe (PID: 6992)
      • ugin.exe (PID: 6712)
      • ugin.exe (PID: 6248)
      • ugin.exe (PID: 6408)
      • unpr.exe (PID: 6928)
      • ugin.exe (PID: 1748)
      • iTopDownloader.exe (PID: 6840)
      • iTopVPN.exe (PID: 6236)
      • aud.exe (PID: 6004)
      • aud.exe (PID: 1688)
      • atud.exe (PID: 4040)
      • iTopVPNMini.exe (PID: 6776)

    • Process checks computer location settings

      • iTopVPN_ptblogseo825_setup.tmp (PID: 7144)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)
      • Setup.exe (PID: 2576)
      • iTopVPN.exe (PID: 6236)

    • Creates files or folders in the user directory

      • ugin.exe (PID: 872)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • iTopVPN.exe (PID: 6992)
      • explorer.exe (PID: 4552)
      • iTopVPN.exe (PID: 6236)
      • atud.exe (PID: 4040)
      • iTopVPNMini.exe (PID: 6776)

    • The process uses the downloaded file

      • iTopVPN_ptblogseo825_setup.tmp (PID: 6956)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)
      • Setup.exe (PID: 2576)
      • iTopVPN.exe (PID: 6236)

    • Creates files in the program directory

      • Setup.exe (PID: 2576)
      • ugin.exe (PID: 872)
      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)
      • ugin.exe (PID: 6712)
      • iTopVPN.exe (PID: 6992)
      • unpr.exe (PID: 6928)
      • ugin.exe (PID: 1748)
      • iTopDownloader.exe (PID: 6840)
      • atud.exe (PID: 4040)
      • iTopVPN.exe (PID: 6236)

    • Reads the machine GUID from the registry

      • Setup.exe (PID: 2576)
      • ugin.exe (PID: 872)
      • ugin.exe (PID: 6712)
      • icop64.exe (PID: 7040)
      • unpr.exe (PID: 6928)
      • iTopDownloader.exe (PID: 6840)
      • iTopVPN.exe (PID: 6236)
      • aud.exe (PID: 6004)
      • aud.exe (PID: 1688)
      • atud.exe (PID: 4040)
      • iTopVPNMini.exe (PID: 6776)

    • Creates a software uninstall entry

      • iTopVPN_ptblogseo825_setup.tmp (PID: 3900)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 4552)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4552)

    • Disables trace logs

      • netsh.exe (PID: 5644)

    • Process checks whether UAC notifications are on

      • iTopVPN.exe (PID: 6236)

    • Process checks Internet Explorer phishing filters

      • iTopVPN.exe (PID: 6236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.6)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.9)
.exe | DOS Executable Generic (18.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:07:16 13:24:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 65024
InitializedDataSize: 75264
UninitializedDataSize: -
EntryPoint: 0x113bc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.0.0.5688
ProductVersionNumber: 6.0.0.5688
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: iTop Inc.
FileDescription: iTop VPN
FileVersion: 6.0.0.5688
LegalCopyright: © iTop Inc. All rights reserved.
ProductName: iTopVPN
ProductVersion: 6.0.0.5688
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
57
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start itopvpn_ptblogseo825_setup.exe itopvpn_ptblogseo825_setup.tmp no specs itopvpn_ptblogseo825_setup.exe itopvpn_ptblogseo825_setup.tmp ugin.exe svchost.exe setup.exe itopvpn_ptblogseo825_setup.exe itopvpn_ptblogseo825_setup.tmp ugin.exe no specs taskkill.exe no specs conhost.exe no specs ugin.exe no specs ugin.exe no specs ullc.exe conhost.exe no specs itopvpn.exe ugin.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs icop64.exe ugin.exe no specs ugin.exe no specs unpr.exe ugin.exe no specs itopdownloader.exe itopvpn.exe atud.exe aud.exe aud.exe cmd.exe no specs conhost.exe no specs ipconfig.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs itopvpnmini.exe secedit.exe no specs conhost.exe no specs secedit.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
448cmd.exe /c sc delete windivertC:\Windows\SysWOW64\cmd.exeugin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
872"C:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\ugin.exe" /InitTop /install /ver 6.0.0.5688 /inspkg "C:\Users\admin\Desktop\iTopVPN_ptblogseo825_setup.exe"C:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\ugin.exe
iTopVPN_ptblogseo825_setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5677
Modules
Images
c:\users\admin\appdata\local\temp\is-rnsf8.tmp\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
940\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1432sc delete windivertC:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1440secedit /export /cfg C:\Users\admin\AppData\Local\Temp\3353.inf /log C:\Users\admin\AppData\Local\Temp\4498.logC:\Windows\System32\SecEdit.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Security Configuration Editor Command Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\secedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\scecli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1608"C:\Users\admin\Desktop\iTopVPN_ptblogseo825_setup.exe" /SPAWNWND=$150378 /NOTIFYWND=$903A4 C:\Users\admin\Desktop\iTopVPN_ptblogseo825_setup.exe
iTopVPN_ptblogseo825_setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5688
Modules
Images
c:\users\admin\desktop\itopvpn_ptblogseo825_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1688"C:\Program Files (x86)\iTop VPN\aud.exe" /itop /dayactiveC:\Program Files (x86)\iTop VPN\aud.exe
iTopVPN.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5378
Modules
Images
c:\program files (x86)\itop vpn\aud.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1748"C:\Program Files (x86)\iTop VPN\ugin.exe" /combinslog "C:\Users\admin\AppData\Local\Temp\Setup Log 2024-09-02 #002.txt"C:\Program Files (x86)\iTop VPN\ugin.exeiTopVPN_ptblogseo825_setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5677
Modules
Images
c:\program files (x86)\itop vpn\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1964"C:\Users\admin\AppData\Local\Temp\is-9CVNE.tmp\ugin.exe" /killC:\Users\admin\AppData\Local\Temp\is-9CVNE.tmp\ugin.exeiTopVPN_ptblogseo825_setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5677
Modules
Images
c:\users\admin\appdata\local\temp\is-9cvne.tmp\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2024"C:\Program Files (x86)\iTop VPN\ugin.exe" /kill /updagradeC:\Program Files (x86)\iTop VPN\ugin.exeiTopVPN_ptblogseo825_setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5677
Modules
Images
c:\program files (x86)\itop vpn\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
31 917
Read events
31 774
Write events
127
Delete events
16

Modification events

(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000604DA
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000006039C
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000007026A
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000007026A
Operation:delete keyName:(default)
Value:
(PID) Process:(6956) iTopVPN_ptblogseo825_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6956) iTopVPN_ptblogseo825_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6956) iTopVPN_ptblogseo825_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6956) iTopVPN_ptblogseo825_setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000008026A
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000008026A
Operation:delete keyName:(default)
Value:
Executable files
86
Suspicious files
55
Text files
229
Unknown types
4

Dropped files

PID
Process
Filename
Type
3984iTopVPN_ptblogseo825_setup.exeC:\Users\admin\AppData\Local\Temp\is-AN505.tmp\iTopVPN_ptblogseo825_setup.tmpexecutable
MD5:7F7631A8B8EA62BEED1E127167CCCB2E
SHA256:E6B2ACD0738623318F2A5A0AF0318B069623FC3455339643DA45B67A148C7C96
6956iTopVPN_ptblogseo825_setup.tmpC:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
6956iTopVPN_ptblogseo825_setup.tmpC:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\winid.dattext
MD5:1A3221FC31DCCB79171C8D028B5D33F9
SHA256:5A63097DA5E0D08B47D0CAF1DB6D72C24B8A45617537C62238E89C1EF71F610F
2576Setup.exeC:\ProgramData\iTop VPN\Setup.logbinary
MD5:BB00D65B4155E1B5AB92ACF62249CE71
SHA256:C65F50A741869DB27789C89DE8BFAC7A7374949EDE8431A1A1283F28E483B01B
872ugin.exeC:\ProgramData\iTop VPN\NpGic.itdtbinary
MD5:0623736967B1F27866CAE47B3FD048AA
SHA256:23D9E99F169500D167E2464485CF3EF381419F2E99B92319C6F0ED4C19027807
6956iTopVPN_ptblogseo825_setup.tmpC:\Users\admin\AppData\Local\Temp\Setup Log 2024-09-02 #001.txttext
MD5:5F125C5336A482D6A97D6C3C0F98B2E9
SHA256:3803905E717E3442D55759024FF0E5E307E38DCCADE042AD9171AEE6FAF7D034
2576Setup.exeC:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\Setup.logtext
MD5:4E431FCB0AD93D2718378CEA8CD31833
SHA256:5D544A325FF7BB1968D3E6B53CEF7F6808D530813F575011462FF9256795301A
2576Setup.exeC:\Users\admin\AppData\Local\Temp\Installerupt45537.0482148148.initext
MD5:083103A8832435EE45E3BD0E42F6BD48
SHA256:58FDEE34364FB78BE47A7CEF36635BE68AF416ED8921AD3FB490986C06269E58
2576Setup.exeC:\ProgramData\iTop\itoppromotion.initext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
6956iTopVPN_ptblogseo825_setup.tmpC:\Users\admin\AppData\Local\Temp\is-RNSF8.tmp\libcrypto-1_1.dllexecutable
MD5:153E591BE14112032056763FF4989A09
SHA256:E0AD8F26D4E6FE47347FBF0FCE1875E4A4FD7F3B923647548D3FC6F815AF2D6A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
174
TCP/UDP connections
188
DNS requests
13
Threats
181

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6928
unpr.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
shared
872
ugin.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
shared
2576
Setup.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
shared
GET
200
152.199.23.214:443
https://update.itopvpn.com/infofiles/itop/update-freef6.upt
unknown
binary
5.25 Kb
unknown
POST
200
52.1.82.23:443
https://stats.itopvpn.com/install.php
unknown
text
19 b
unknown
GET
200
152.199.23.214:443
https://update.itopvpn.com/infofiles/itop/freeware.upt
unknown
ini
9.99 Kb
unknown
GET
200
3.229.82.147:443
https://stats.itopvpn.com/downloader/dl_stat.php?action=get-token
unknown
text
24 b
unknown
GET
200
52.71.107.83:443
https://interface.iobit.com/ac/geturl.php?getid=reco_isr
unknown
binary
173 b
unknown
GET
206
152.199.23.214:443
https://update.itopvpn.com/infofiles/itop/itopfinstaller.zlb
unknown
binary
48.7 Kb
unknown
GET
200
152.199.23.214:443
https://update.itopvpn.com/infofiles/itop/itopfinstaller.zlb
unknown
binary
195 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
872
ugin.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
872
ugin.exe
152.199.23.214:443
update.itopvpn.com
EDGECAST
US
malicious
2576
Setup.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
2576
Setup.exe
152.199.23.214:443
update.itopvpn.com
EDGECAST
US
malicious
2576
Setup.exe
152.199.20.140:443
update.iobit.com
EDGECAST
US
whitelisted
2576
Setup.exe
52.1.82.23:443
stats.itopvpn.com
AMAZON-AES
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ip-api.com
  • 208.95.112.1
shared
update.itopvpn.com
  • 152.199.23.214
malicious
update.iobit.com
  • 152.199.20.140
whitelisted
stats.itopvpn.com
  • 52.1.82.23
  • 3.229.82.147
malicious
interface.iobit.com
  • 54.167.187.36
  • 52.71.107.83
unknown
api.itopvpn.com
  • 13.248.190.80
  • 76.223.44.67
malicious
s3.amazonaws.com
  • 16.182.97.16
  • 54.231.198.168
  • 16.15.193.246
  • 52.217.205.64
  • 52.217.4.78
  • 54.231.234.200
  • 52.217.227.144
  • 52.216.213.152
shared
update.downloaditop.com
  • 152.199.23.214
unknown

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
872
ugin.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
872
ugin.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2576
Setup.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2576
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Process
Message
Setup.exe
time1
Setup.exe
doFinshedEvent_Freeware 0
Setup.exe
time3
Setup.exe
Success
Setup.exe
Order: isr
Setup.exe
ProductVersion: 6.0.0.5688
Setup.exe
Chk_ver_min
Setup.exe
Chk_ver_max
Setup.exe
CheckSameVerList
Setup.exe
CheckLicense
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
iTopVPN_ptblogseo825_setup.exe