Malware analysis http://update.downloaditop.com/dl/action-center/iTopF540-20240322.exe Malicious activity

Add for printing

URL:	http://update.downloaditop.com/dl/action-center/iTopF540-20240322.exe
Full analysis:	https://app.any.run/tasks/03f744f9-fe3a-4ac1-aca5-6d0073e07f75
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 04, 2024, 15:59:29
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	evasion loader
Indicators:
MD5:	C2AD78F97010F57F1F84A22683091075
SHA1:	EA884695E0C29F7DD7F9990D38D30B914C93D43F
SHA256:	DB91E939F85F2392130F8EDA566DFEA475BE59AF17115062EBE2FDFA78D8CF50
SSDEEP:	3:N1KLQRAAEKRRKgK/uxLbKGR2V9Cn:CUfEyKmFRy9Cn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - iTopF540-20240322.exe (PID: 2152)
  - iTopF540-20240322.exe (PID: 1808)
  - iTopF540-20240322.tmp (PID: 3324)
  - iTopF540-20240322.exe (PID: 924)
  - iTopF540-20240322.tmp (PID: 2568)
  - ugin.exe (PID: 4092)
  - iTopDownloader.exe (PID: 3268)
  - iTopDataRecovery.exe (PID: 3816)
  - atud.exe (PID: 3428)
  - iTopDataRecovery.tmp (PID: 3288)
  - Autoupdate.exe (PID: 2104)
- Application was injected by another process
  - explorer.exe (PID: 1164)
- Runs injected code in another process
  - icop32.exe (PID: 1428)
  - ICONPIN32.exe (PID: 3048)
- Steals credentials from Web Browsers
  - iTopVPN.exe (PID: 3876)
- Actions looks like stealing of personal data
  - iTopVPN.exe (PID: 3876)
SUSPICIOUS
- Process drops legitimate windows executable
  - iTopF540-20240322.tmp (PID: 3324)
  - iTopF540-20240322.tmp (PID: 2568)
  - iTopDataRecovery.tmp (PID: 3288)
- Reads the Windows owner or organization settings
  - iTopF540-20240322.tmp (PID: 3324)
  - iTopF540-20240322.tmp (PID: 2568)
  - iTopDataRecovery.tmp (PID: 3288)
- Reads security settings of Internet Explorer
  - iTopF540-20240322.tmp (PID: 3324)
  - iTopF540-20240322.tmp (PID: 2568)
  - ugin.exe (PID: 4092)
  - Setup.exe (PID: 2484)
  - iTopVPN.exe (PID: 3876)
  - iTopDownloader.exe (PID: 3268)
  - iTopDataRecovery.tmp (PID: 3288)
  - IdrInit.exe (PID: 3940)
  - iTopDataRecovery.exe (PID: 3448)
  - Autoupdate.exe (PID: 2104)
  - atud.exe (PID: 3428)
  - onlinesr_en.exe (PID: 3204)
- Checks for external IP
  - ugin.exe (PID: 2724)
  - ugin.exe (PID: 4092)
  - unpr.exe (PID: 2980)
  - UninstallInfo.exe (PID: 920)
  - itopeasterp24.exe (PID: 3740)
- Reads the Internet Settings
  - iTopF540-20240322.tmp (PID: 3324)
  - iTopF540-20240322.tmp (PID: 2568)
  - ugin.exe (PID: 4092)
  - Setup.exe (PID: 2484)
  - iTopVPN.exe (PID: 3876)
  - iTopDownloader.exe (PID: 3268)
  - iTopDataRecovery.tmp (PID: 3288)
  - IdrInit.exe (PID: 3940)
  - iTopDataRecovery.exe (PID: 3448)
  - Autoupdate.exe (PID: 2104)
  - atud.exe (PID: 3428)
  - onlinesr_en.exe (PID: 3204)
- Uses TASKKILL.EXE to kill process
  - iTopF540-20240322.tmp (PID: 2568)
- Starts SC.EXE for service management
  - cmd.exe (PID: 1172)
  - cmd.exe (PID: 668)
  - cmd.exe (PID: 3492)
  - cmd.exe (PID: 2488)
  - cmd.exe (PID: 2372)
  - cmd.exe (PID: 3256)
  - cmd.exe (PID: 2268)
  - cmd.exe (PID: 3016)
  - cmd.exe (PID: 2828)
  - cmd.exe (PID: 1652)
  - cmd.exe (PID: 1604)
  - cmd.exe (PID: 2556)
- Process drops SQLite DLL files
  - iTopF540-20240322.tmp (PID: 2568)
  - iTopDataRecovery.tmp (PID: 3288)
- Starts CMD.EXE for commands execution
  - ugin.exe (PID: 4092)
  - iTopVPN.exe (PID: 3876)
  - iTopDataRecovery.tmp (PID: 3288)
- Application launched itself
  - ugin.exe (PID: 4092)
- Non-standard symbols in registry
  - explorer.exe (PID: 1164)
  - iTopVPN.exe (PID: 3876)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 3488)
- Process requests binary or script from the Internet
  - iTopDownloader.exe (PID: 3268)
  - Autoupdate.exe (PID: 2104)
- Searches for installed software
  - iTopVPN.exe (PID: 3876)
  - onlinesr_en.exe (PID: 3204)
  - itopeasterp24.exe (PID: 3740)
- Connects to unusual port
  - iTopVPN.exe (PID: 3876)
- The process verifies whether the antivirus software is installed
  - iTopVPN.exe (PID: 3876)
- Executes as Windows Service
  - IDRService.exe (PID: 1168)
INFO
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 1164)
- Checks supported languages
  - iTopF540-20240322.exe (PID: 2152)
  - iTopF540-20240322.tmp (PID: 1976)
  - iTopF540-20240322.exe (PID: 1808)
  - iTopF540-20240322.tmp (PID: 3324)
  - ugin.exe (PID: 2724)
  - Setup.exe (PID: 2484)
  - ugin.exe (PID: 952)
  - iTopF540-20240322.tmp (PID: 2568)
  - iTopF540-20240322.exe (PID: 924)
  - ugin.exe (PID: 2656)
  - ullc.exe (PID: 268)
  - ugin.exe (PID: 4092)
  - iTopVPN.exe (PID: 2736)
  - ugin.exe (PID: 3312)
  - unpr.exe (PID: 2980)
  - ugin.exe (PID: 3560)
  - ugin.exe (PID: 3604)
  - icop32.exe (PID: 1428)
  - ugin.exe (PID: 3844)
  - iTopDownloader.exe (PID: 3268)
  - iTopVPN.exe (PID: 3876)
  - iTopVPN.exe (PID: 3868)
  - atud.exe (PID: 3428)
  - aud.exe (PID: 2648)
  - aud.exe (PID: 2124)
  - iTopVPNMini.exe (PID: 3308)
  - iTopDataRecovery.exe (PID: 3816)
  - iTopDataRecovery.tmp (PID: 3288)
  - LocalLang.exe (PID: 1584)
  - iTopInsur.exe (PID: 128)
  - IdrInit.exe (PID: 3940)
  - iTopInsur.exe (PID: 952)
  - UninstallInfo.exe (PID: 920)
  - IDRService.exe (PID: 1168)
  - iTopDataRecovery.exe (PID: 3448)
  - Autoupdate.exe (PID: 2104)
  - ICONPIN32.exe (PID: 3048)
  - AUpdate.exe (PID: 1836)
  - AUpdate.exe (PID: 2396)
  - itopeasterp24.exe (PID: 3740)
  - onlinesr_en.exe (PID: 2804)
  - Newfts.exe (PID: 1220)
  - onlinesr_en.exe (PID: 3204)
  - ugin.exe (PID: 796)
  - itopeasterp24.exe (PID: 4080)
- Reads the computer name
  - iTopF540-20240322.tmp (PID: 1976)
  - iTopF540-20240322.tmp (PID: 3324)
  - ugin.exe (PID: 2724)
  - Setup.exe (PID: 2484)
  - iTopF540-20240322.tmp (PID: 2568)
  - ugin.exe (PID: 952)
  - iTopVPN.exe (PID: 2736)
  - ugin.exe (PID: 3312)
  - ugin.exe (PID: 2656)
  - ugin.exe (PID: 4092)
  - ugin.exe (PID: 3604)
  - ugin.exe (PID: 3560)
  - unpr.exe (PID: 2980)
  - ugin.exe (PID: 3844)
  - iTopDownloader.exe (PID: 3268)
  - iTopVPN.exe (PID: 3868)
  - iTopVPN.exe (PID: 3876)
  - aud.exe (PID: 2124)
  - atud.exe (PID: 3428)
  - aud.exe (PID: 2648)
  - iTopVPNMini.exe (PID: 3308)
  - iTopDataRecovery.tmp (PID: 3288)
  - iTopInsur.exe (PID: 128)
  - IdrInit.exe (PID: 3940)
  - iTopInsur.exe (PID: 952)
  - UninstallInfo.exe (PID: 920)
  - iTopDataRecovery.exe (PID: 3448)
  - IDRService.exe (PID: 1168)
  - Autoupdate.exe (PID: 2104)
  - AUpdate.exe (PID: 1836)
  - AUpdate.exe (PID: 2396)
  - onlinesr_en.exe (PID: 3204)
  - itopeasterp24.exe (PID: 3740)
  - onlinesr_en.exe (PID: 2804)
  - Newfts.exe (PID: 1220)
  - ugin.exe (PID: 796)
  - itopeasterp24.exe (PID: 4080)
- Modifies the phishing filter of IE
  - iexplore.exe (PID: 2120)
- Create files in a temporary directory
  - iTopF540-20240322.exe (PID: 1808)
  - iTopF540-20240322.tmp (PID: 3324)
  - iTopF540-20240322.exe (PID: 2152)
  - Setup.exe (PID: 2484)
  - iTopF540-20240322.exe (PID: 924)
  - iTopF540-20240322.tmp (PID: 2568)
  - icop32.exe (PID: 1428)
  - explorer.exe (PID: 1164)
  - iTopDataRecovery.exe (PID: 3816)
  - iTopDataRecovery.tmp (PID: 3288)
  - SecEdit.exe (PID: 1780)
  - SecEdit.exe (PID: 1928)
  - iTopVPN.exe (PID: 3876)
  - ICONPIN32.exe (PID: 3048)
- Drops the executable file immediately after the start
  - iexplore.exe (PID: 3276)
- The process uses the downloaded file
  - iexplore.exe (PID: 2120)
- Application launched itself
  - iexplore.exe (PID: 2120)
- Creates files or folders in the user directory
  - ugin.exe (PID: 2724)
  - iTopF540-20240322.tmp (PID: 2568)
  - iTopVPN.exe (PID: 2736)
  - explorer.exe (PID: 1164)
  - iTopVPN.exe (PID: 3876)
  - atud.exe (PID: 3428)
  - iTopVPNMini.exe (PID: 3308)
  - iTopDataRecovery.tmp (PID: 3288)
  - iTopInsur.exe (PID: 128)
  - Autoupdate.exe (PID: 2104)
- Creates files in the program directory
  - ugin.exe (PID: 2724)
  - iTopF540-20240322.tmp (PID: 2568)
  - Setup.exe (PID: 2484)
  - iTopVPN.exe (PID: 2736)
  - ugin.exe (PID: 4092)
  - ugin.exe (PID: 3844)
  - iTopDownloader.exe (PID: 3268)
  - unpr.exe (PID: 2980)
  - iTopVPN.exe (PID: 3876)
  - atud.exe (PID: 3428)
  - iTopDataRecovery.tmp (PID: 3288)
  - iTopInsur.exe (PID: 128)
  - UninstallInfo.exe (PID: 920)
  - IDRService.exe (PID: 1168)
  - iTopDataRecovery.exe (PID: 3448)
  - Autoupdate.exe (PID: 2104)
  - AUpdate.exe (PID: 1836)
  - onlinesr_en.exe (PID: 3204)
- Manual execution by a user
  - explorer.exe (PID: 1772)
- Reads the machine GUID from the registry
  - Setup.exe (PID: 2484)
  - ugin.exe (PID: 2724)
  - ugin.exe (PID: 4092)
  - icop32.exe (PID: 1428)
  - unpr.exe (PID: 2980)
  - iTopDownloader.exe (PID: 3268)
  - iTopVPN.exe (PID: 3876)
  - aud.exe (PID: 2124)
  - aud.exe (PID: 2648)
  - atud.exe (PID: 3428)
  - iTopVPNMini.exe (PID: 3308)
  - ICONPIN32.exe (PID: 3048)
  - Autoupdate.exe (PID: 2104)
  - AUpdate.exe (PID: 2396)
  - AUpdate.exe (PID: 1836)
  - onlinesr_en.exe (PID: 3204)
  - ugin.exe (PID: 796)
- Creates a software uninstall entry
  - iTopF540-20240322.tmp (PID: 2568)
  - iTopDataRecovery.tmp (PID: 3288)
- Process checks whether UAC notifications are on
  - iTopVPN.exe (PID: 3876)
- Process checks Internet Explorer phishing filters
  - iTopVPN.exe (PID: 3876)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

142

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

128

"C:\Program Files\iTop Data Recovery\iTopInsur.exe" /SetLicenseStatus

C:\Program Files\iTop Data Recovery\iTopInsur.exe

iTopDataRecovery.tmp

User:

admin

Company:

iTop Inc.

Integrity Level:

HIGH

Description:

iTop Insur

Exit code:

Version:

1.0.0.99

Modules

Images
c:\program files\itop data recovery\itopinsur.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

268

"C:\Program Files\iTop VPN\ullc.exe"

C:\Program Files\iTop VPN\ullc.exe

iTopF540-20240322.tmp

User:

admin

Company:

iTop Inc.

Integrity Level:

HIGH

Description:

User Local Language Check

Exit code:

Version:

1.0.0.1

Modules

Images
c:\program files\itop vpn\ullc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

668

cmd.exe /c sc delete windivert

C:\Windows\System32\cmd.exe

—

ugin.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

1060

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

796

"C:\Program Files\iTop VPN\ugin.exe" /postbnst

C:\Program Files\iTop VPN\ugin.exe

onlinesr_en.exe

User:

admin

Company:

iTop Inc.

Integrity Level:

HIGH

Description:

iTop VPN

Exit code:

Version:

5.0.0.5132

Modules

Images
c:\program files\itop vpn\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

920

"C:\Program Files\iTop Data Recovery\UninstallInfo.exe" /install idr4

C:\Program Files\iTop Data Recovery\UninstallInfo.exe

iTopDataRecovery.tmp

User:

admin

Company:

iTop Inc.

Integrity Level:

HIGH

Description:

UninstallInfo

Exit code:

Version:

1.0.0.349

Modules

Images
c:\program files\itop data recovery\uninstallinfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

924

"C:\Users\admin\Downloads\iTopF540-20240322.exe" /sp- /verysilent /norestart /Installer /silenthide /insthandle=1311122 /DIR="C:\Program Files\iTop VPN" /quicklaunchicon

C:\Users\admin\Downloads\iTopF540-20240322.exe

—

Setup.exe

User:

admin

Company:

iTop Inc.

Integrity Level:

HIGH

Description:

iTop VPN

Exit code:

Version:

5.4.0.5166

Modules

Images
c:\users\admin\downloads\itopf540-20240322.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

952

"C:\Users\admin\AppData\Local\Temp\is-B5M2V.tmp\ugin.exe" /kill

C:\Users\admin\AppData\Local\Temp\is-B5M2V.tmp\ugin.exe

—

iTopF540-20240322.tmp

User:

admin

Company:

iTop Inc.

Integrity Level:

HIGH

Description:

iTop VPN

Exit code:

Version:

5.0.0.5132

Modules

Images
c:\users\admin\appdata\local\temp\is-b5m2v.tmp\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

952

"C:\Program Files\iTop Data Recovery\iTopInsur.exe" /insur=itopf_in /reinstall=0 /regkeynameinsur="iTop Data Recovery" /writeregWow6432Node=0

C:\Program Files\iTop Data Recovery\iTopInsur.exe

IdrInit.exe

User:

admin

Company:

iTop Inc.

Integrity Level:

HIGH

Description:

iTop Insur

Exit code:

Version:

1.0.0.99

Modules

Images
c:\program files\itop data recovery\itopinsur.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1164

C:\Windows\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

1168

"C:\Program Files\iTop Data Recovery\IDRService.exe"

C:\Program Files\iTop Data Recovery\IDRService.exe

services.exe

User:

SYSTEM

Company:

iTop Inc.

Integrity Level:

SYSTEM

Description:

iTop Data Recovery Service

Version:

4.0.0.168

Modules

Images
c:\program files\itop data recovery\idrservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

Add for printing

Total events

75 028

Read events

74 257

Write events

715

Delete events

Modification events


(PID) Process:	(1164) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000007B491E9E3F828A4F8555DF724FABDA1300000000020000000000106600000001000020000000AB81FAB992C8586DF934AD8D8B9F4BC1A16C73E14E6DC19B39098D43DCB49140000000000E800000000200002000000047F99DF10EEB56343235443ACFCC0293284900C61FAA8AF1206F7BDA4933E374300000000BB41B8A1289B6D5B06FF1470F5FBAE6F078FCBF8C0852728CD7D09E22F7B65CC645BEF3670F6AF58494B32792753DF44000000058369D6CAAD8B8A19FF2D9CB8D13A3B602472ED69E359D34AD8609BD96E67FEF659DCE3139F8F0E6DF31FE0577781AAB885984F01EE8F68C9899F7C17FDB6769
(PID) Process:	(1164) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:	write	Name:	Zvpebfbsg.VagreargRkcybere.Qrsnhyg
Value: 000000003F0000004B0000008E0F0D00000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF00FEAE759EB1D60100000000
(PID) Process:	(1164) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:	write	Name:	HRZR_PGYFRFFVBA
Value: 00000000D70100004D0300001B8D9501440000008A0000009B7032007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000000000000070E35D01FFFFFFFF00A92300FFFFFFFF7059E07400000000000000000CE35D017C90DC74000400000000000070E35D01FFFFFFFF00A92300FFFFFFFFA8F82300ACF92300F8A823003CE35D01F7AF8B7580D0BE757CF05D01081D8C75E4618C75E823220070E35D01D08723007000000019BDDC3D50E35D01A1698C75E823220070E35D01000000007CE55D013F618C75E823220070E35D0100000400000000804C618C75E823220063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C0072006F0061006D0069006E0067005C006D006900630072006F0073006F00660074005C0069006E007400650072006E006500740020006500780070006C006F007200650072005C0071007500690063006B0020006C00610075006E0063001100000090522200885222002000700069006E006E00650064005C0088E4000005BADC3D38E45D015E908C7588E45D013CE45D0103948C75000000001C80470264E45D01A9938C751C80470210E55D01907B4702BD938C7500000000907B470210E55D016CE45D01440000008A0000009B7032007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000000000000070E35D01FFFFFFFF00A92300FFFFFFFF7059E07400000000000000000CE35D017C90DC74000400000000000070E35D01FFFFFFFF00A92300FFFFFFFFA8F82300ACF92300F8A823003CE35D01F7AF8B7580D0BE757CF05D01081D8C75E4618C75E823220070E35D01D08723007000000019BDDC3D50E35D01A1698C75E823220070E35D01000000007CE55D013F618C75E823220070E35D0100000400000000804C618C75E823220063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C0072006F0061006D0069006E0067005C006D006900630072006F0073006F00660074005C0069006E007400650072006E006500740020006500780070006C006F007200650072005C0071007500690063006B0020006C00610075006E0063001100000090522200885222002000700069006E006E00650064005C0088E4000005BADC3D38E45D015E908C7588E45D013CE45D0103948C75000000001C80470264E45D01A9938C751C80470210E55D01907B4702BD938C7500000000907B470210E55D016CE45D01440000008A0000009B7032007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000000000000070E35D01FFFFFFFF00A92300FFFFFFFF7059E07400000000000000000CE35D017C90DC74000400000000000070E35D01FFFFFFFF00A92300FFFFFFFFA8F82300ACF92300F8A823003CE35D01F7AF8B7580D0BE757CF05D01081D8C75E4618C75E823220070E35D01D08723007000000019BDDC3D50E35D01A1698C75E823220070E35D01000000007CE55D013F618C75E823220070E35D0100000400000000804C618C75E823220063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C0072006F0061006D0069006E0067005C006D006900630072006F0073006F00660074005C0069006E007400650072006E006500740020006500780070006C006F007200650072005C0071007500690063006B0020006C00610075006E0063001100000090522200885222002000700069006E006E00650064005C0088E4000005BADC3D38E45D015E908C7588E45D013CE45D0103948C75000000001C80470264E45D01A9938C751C80470210E55D01907B4702BD938C7500000000907B470210E55D016CE45D01
(PID) Process:	(2120) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPDaysSinceLastAutoMigration
Value: 1
(PID) Process:	(2120) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchLowDateTime
Value: 398284048
(PID) Process:	(2120) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchHighDateTime
Value: 31098537
(PID) Process:	(2120) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateLowDateTime
Value: 698446548
(PID) Process:	(2120) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateHighDateTime
Value: 31098537
(PID) Process:	(2120) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2120) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

Add for printing

Executable files

280

Suspicious files

Text files

366

Unknown types

Dropped files

PID	Process	Filename		Type
3276	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\iTopF540-20240322[1].exe		executable
		MD5:—	SHA256:—
2120	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF2AEE5AF7D4A00593.TMP		binary
		MD5:—	SHA256:—
2120	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{555E0D95-F29C-11EE-AE0A-12A9866C77DE}.dat		binary
		MD5:—	SHA256:—
2120	iexplore.exe	C:\Users\admin\Downloads\iTopF540-20240322.exe.vlj8zqn.partial:Zone.Identifier		text
		MD5:—	SHA256:—
2120	iexplore.exe	C:\Users\admin\Downloads\iTopF540-20240322.exe		—
		MD5:—	SHA256:—
2120	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		binary
		MD5:—	SHA256:—
2120	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776		binary
		MD5:—	SHA256:—
2120	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776		binary
		MD5:—	SHA256:—
2120	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verA090.tmp		xml
		MD5:—	SHA256:—
2120	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\urlblockindex[1].bin		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

527

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3276	iexplore.exe	GET	200	152.199.23.214:80	http://update.downloaditop.com/dl/action-center/iTopF540-20240322.exe	unknown	—	—	unknown
2120	iexplore.exe	GET	304	92.122.95.25:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?31055eca6ea3b32e	unknown	—	—	unknown
2120	iexplore.exe	GET	304	92.122.95.25:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?719f0b64dcb4a601	unknown	—	—	unknown
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
—	—	GET	304	92.122.95.146:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f42b4d0af9d9768e	unknown	—	—	unknown
1080	svchost.exe	GET	200	92.122.95.25:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e2ddf83a2417bb20	unknown	—	—	unknown
1080	svchost.exe	GET	304	92.122.95.25:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fc91d912a85a08d5	unknown	—	—	unknown
2724	ugin.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/	unknown	—	—	unknown
2120	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
2484	Setup.exe	GET	200	34.117.186.192:80	http://ipinfo.io/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
3276	iexplore.exe	152.199.23.214:80	update.downloaditop.com	EDGECAST	US	unknown
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2120	iexplore.exe	152.199.19.161:443	iecvlist.microsoft.com	EDGECAST	US	whitelisted
2120	iexplore.exe	92.122.95.25:80	ctldl.windowsupdate.com	Akamai International B.V.	IT	unknown
2120	iexplore.exe	92.122.95.146:80	ctldl.windowsupdate.com	Akamai International B.V.	IT	unknown
2120	iexplore.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2724	ugin.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	unknown

DNS requests

Domain	IP	Reputation
update.downloaditop.com	152.199.23.214	unknown
iecvlist.microsoft.com	152.199.19.161	whitelisted
r20swj13mr.microsoft.com	152.199.19.161	whitelisted
ctldl.windowsupdate.com	92.122.95.25 92.122.95.146	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
ip-api.com	208.95.112.1	shared
update.itopvpn.com	152.199.23.214	unknown
ipinfo.io	34.117.186.192	shared
ieonline.microsoft.com	204.79.197.200	whitelisted
go.microsoft.com	2.18.97.227	whitelisted

Threats

PID	Process	Class	Message
3276	iexplore.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
—	—	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
—	—	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
—	—	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
—	—	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ipinfo.io
2484	Setup.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2484	Setup.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2484	Setup.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
—	—	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)

Add for printing

Process	Message
Setup.exe	time1
Setup.exe	doFinshedEvent_Freeware 0
Setup.exe	time3
Setup.exe	ProductVersion: 5.4.0.5166
Setup.exe	Chk_ver_max
Setup.exe	WinVer 61
Setup.exe	chk_os_ver 110;100;63;62;61
Setup.exe	CheckLicense
Setup.exe	Chk_ver_min
Setup.exe	Order: isr

General Info

http://update.downloaditop.com/dl/action-center/iTopF540-20240322.exe

C2AD78F97010F57F1F84A22683091075

EA884695E0C29F7DD7F9990D38D30B914C93D43F

DB91E939F85F2392130F8EDA566DFEA475BE59AF17115062EBE2FDFA78D8CF50

3:N1KLQRAAEKRRKgK/uxLbKGR2V9Cn:CUfEyKmFRy9Cn

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Application was injected by another process

Runs injected code in another process

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Process drops legitimate windows executable

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

Checks for external IP

Reads the Internet Settings

Uses TASKKILL.EXE to kill process

Starts SC.EXE for service management

Process drops SQLite DLL files

Starts CMD.EXE for commands execution

Application launched itself

Non-standard symbols in registry

Process uses IPCONFIG to clear DNS cache

Process requests binary or script from the Internet

Searches for installed software

Connects to unusual port

The process verifies whether the antivirus software is installed

Executes as Windows Service

INFO

Reads security settings of Internet Explorer

Checks supported languages

Reads the computer name

Modifies the phishing filter of IE

Create files in a temporary directory

Drops the executable file immediately after the start

The process uses the downloaded file

Application launched itself

Creates files or folders in the user directory

Creates files in the program directory

Manual execution by a user

Reads the machine GUID from the registry

Creates a software uninstall entry

Process checks whether UAC notifications are on

Process checks Internet Explorer phishing filters

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity