| File name: | ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe |
| Full analysis: | https://app.any.run/tasks/79bd58e4-37b6-4c57-a1ef-5fb02fa2fef6 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | August 01, 2025, 01:23:58 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections |
| MD5: | EF3807036F446CC58A66DC5869FA5F6F |
| SHA1: | 38F5070622D7AB47CC2C1DD7C1C8CFC496981B08 |
| SHA256: | ED8CEC11C59045B09945CF8B6369687D9ACAAACF6D00BA0C6F6D5870099C46D4 |
| SSDEEP: | 98304:V/2qKTxgCAsWpihIOOaa7UjA9hGqc5TNoSCDzbPLFTh2YEs0mx4MDkkwS2GfG0c9:jYDe61CPwDv3uF0jibjzLQDp |
MALICIOUS
No malicious indicators.SUSPICIOUS
The process executes via Task Scheduler
- updater.exe (PID: 1212)
Process requests binary or script from the Internet
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
Reads security settings of Internet Explorer
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
- ISR_Setup.tmp (PID: 3100)
Executable content was dropped or overwritten
- ISR_Setup.exe (PID: 320)
- ISR_Setup.tmp (PID: 3100)
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
Reads the Windows owner or organization settings
- ISR_Setup.tmp (PID: 3100)
Process drops legitimate windows executable
- ISR_Setup.tmp (PID: 3100)
Process drops SQLite DLL files
- ISR_Setup.tmp (PID: 3100)
The process drops C-runtime libraries
- ISR_Setup.tmp (PID: 3100)
Application launched itself
- updater.exe (PID: 1212)
INFO
Checks supported languages
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
- updater.exe (PID: 1212)
- updater.exe (PID: 6392)
- ISR_Setup.exe (PID: 320)
- ISR_Setup.tmp (PID: 3100)
- iScrInit.exe (PID: 2432)
- iScrInit.exe (PID: 1740)
- iScrInit.exe (PID: 4688)
- iScrInit.exe (PID: 6840)
The sample compiled with english language support
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
- ISR_Setup.tmp (PID: 3100)
Creates files in the program directory
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
- ISR_Setup.tmp (PID: 3100)
Reads the machine GUID from the registry
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
Compiled with Borland Delphi (YARA)
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
- slui.exe (PID: 5764)
- ISR_Setup.exe (PID: 320)
- ISR_Setup.tmp (PID: 3100)
Reads the computer name
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
- updater.exe (PID: 1212)
- ISR_Setup.tmp (PID: 3100)
- iScrInit.exe (PID: 2432)
- iScrInit.exe (PID: 6840)
- iScrInit.exe (PID: 1740)
- iScrInit.exe (PID: 4688)
Process checks whether UAC notifications are on
- updater.exe (PID: 1212)
Process checks computer location settings
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
- ISR_Setup.tmp (PID: 3100)
Create files in a temporary directory
- ISR_Setup.exe (PID: 320)
- ISR_Setup.tmp (PID: 3100)
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
Checks proxy server information
- slui.exe (PID: 5764)
Reads the software policy settings
- slui.exe (PID: 5764)
Detects InnoSetup installer (YARA)
- ISR_Setup.exe (PID: 320)
- ISR_Setup.tmp (PID: 3100)
Creates files or folders in the user directory
- ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe (PID: 1612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (45.2) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (43.6) |
| .exe | | | Win32 Executable (generic) (4.7) |
| .exe | | | Win16/32 Executable Delphi generic (2.1) |
| .exe | | | Generic Win/DOS Executable (2.1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:06:24 10:40:37+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 2902016 |
| InitializedDataSize: | 4161536 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2c55bc |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 6.0.0.63 |
| ProductVersionNumber: | 6.0.0.63 |
| FileFlagsMask: | 0x003f |
| FileFlags: | Pre-release |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | iTop Inc |
| FileDescription: | iTop Screen Recorder |
| FileVersion: | 6.0.0.63 |
| InternalName: | - |
| LegalCopyright: | © iTop Inc. All rights reserved. |
| LegalTrademarks: | iTop Inc. |
| OriginalFileName: | - |
| ProductName: | iTop Screen Recorder |
| ProductVersion: | 6.0.0.0 |
| Comments: | - |
Total processes
145
Monitored processes
11
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 320 | "C:\ProgramData\iTop Screen Recorder\Downloader\ISR_Setup.exe" /VerySilent /DIR="C:\Program Files\iTop Screen Recorder\" /UNINSTALL /INSTALLER /NORESTART /TASKS="desktopicon" /CreateTaskbar /DoNotWirteInsur | C:\ProgramData\iTop Screen Recorder\Downloader\ISR_Setup.exe | ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | ||||||||||||
User: admin Company: iTop Inc. Integrity Level: HIGH Description: iTop Screen Recorder Version: 6.0.0.3395 Modules
| |||||||||||||||
| 1212 | "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --system | C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Google LLC Integrity Level: SYSTEM Description: Google Updater Exit code: 0 Version: 134.0.6985.0 Modules
| |||||||||||||||
| 1612 | "C:\Users\admin\Desktop\ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe" | C:\Users\admin\Desktop\ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | explorer.exe | ||||||||||||
User: admin Company: iTop Inc Integrity Level: HIGH Description: iTop Screen Recorder Version: 6.0.0.63 Modules
| |||||||||||||||
| 1728 | "C:\Users\admin\Desktop\ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe" | C:\Users\admin\Desktop\ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | — | explorer.exe | |||||||||||
User: admin Company: iTop Inc Integrity Level: MEDIUM Description: iTop Screen Recorder Exit code: 3221226540 Version: 6.0.0.63 Modules
| |||||||||||||||
| 1740 | "C:\Users\admin\AppData\Local\Temp\is-PU1Q4.tmp\iScrInit.exe" /CheckOldVer=0 /CopyOldConfig /installdir="" | C:\Users\admin\AppData\Local\Temp\is-PU1Q4.tmp\iScrInit.exe | ISR_Setup.tmp | ||||||||||||
User: admin Company: iTop Inc. Integrity Level: HIGH Description: iTop Screen Recorderr Ini Exit code: 0 Version: 6.0.0.484 Modules
| |||||||||||||||
| 2432 | "C:\Users\admin\AppData\Local\Temp\is-PU1Q4.tmp\iScrInit.exe" /KillProcess /installdir="C:\Program Files\iTop Screen Recorder" | C:\Users\admin\AppData\Local\Temp\is-PU1Q4.tmp\iScrInit.exe | ISR_Setup.tmp | ||||||||||||
User: admin Company: iTop Inc. Integrity Level: HIGH Description: iTop Screen Recorderr Ini Exit code: 0 Version: 6.0.0.484 Modules
| |||||||||||||||
| 3100 | "C:\Users\admin\AppData\Local\Temp\is-H83A2.tmp\ISR_Setup.tmp" /SL5="$E0326,135198810,230912,C:\ProgramData\iTop Screen Recorder\Downloader\ISR_Setup.exe" /VerySilent /DIR="C:\Program Files\iTop Screen Recorder\" /UNINSTALL /INSTALLER /NORESTART /TASKS="desktopicon" /CreateTaskbar /DoNotWirteInsur | C:\Users\admin\AppData\Local\Temp\is-H83A2.tmp\ISR_Setup.tmp | ISR_Setup.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Version: 51.1052.0.0 Modules
| |||||||||||||||
| 4688 | "C:\Users\admin\AppData\Local\Temp\is-PU1Q4.tmp\iScrInit.exe" /CleanReg | C:\Users\admin\AppData\Local\Temp\is-PU1Q4.tmp\iScrInit.exe | ISR_Setup.tmp | ||||||||||||
User: admin Company: iTop Inc. Integrity Level: HIGH Description: iTop Screen Recorderr Ini Exit code: 0 Version: 6.0.0.484 Modules
| |||||||||||||||
| 5764 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6392 | "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478 | C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe | — | updater.exe | |||||||||||
User: SYSTEM Company: Google LLC Integrity Level: SYSTEM Description: Google Updater Exit code: 0 Version: 134.0.6985.0 Modules
| |||||||||||||||
Total events
4 864
Read events
4 861
Write events
3
Delete events
0
Modification events
| (PID) Process: | (1612) ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\iTop Screen Recorder |
| Operation: | write | Name: | insur |
Value: ency_techno360_isr | |||
| (PID) Process: | (3100) ISR_Setup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\iTop Screen Recorder |
| Operation: | write | Name: | InstallFinished |
Value: 0 | |||
| (PID) Process: | (3100) ISR_Setup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\iTop Screen Recorder |
| Operation: | write | Name: | InstallFinished |
Value: 0 | |||
Executable files
432
Suspicious files
10
Text files
33
Unknown types
7
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1612 | ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | C:\ProgramData\iTop Screen Recorder\Downloader\ISR_Setup.exe | — | |
MD5:— | SHA256:— | |||
| 1612 | ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | C:\Users\admin\AppData\Local\Temp\Installerupt45870.0584525579.zlb | skn | |
MD5:99861DB0005DD0A8D70B9AF39C164239 | SHA256:4D0DC83EFEFADE318C01F98661110898CFBD5008A6716A335A365EF604A8F5F7 | |||
| 1612 | ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | C:\Users\admin\AppData\Local\Temp\libssl-1_1.dll | executable | |
MD5:2E13693945236594078A2E7C4FD029BE | SHA256:E9CEDB410DF5A475A08B2F17EC5EA5615D02FF4F1A1E045F53053A73DA9A2474 | |||
| 1612 | ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | C:\Users\admin\AppData\Local\Temp\Installerupt45870.058469375.ini | text | |
MD5:495E10B9039E6496548342FF20EABC10 | SHA256:9B7F4FF6C3B456E0A3565C382612820CD865D2A9983221D4C1A5787A6599C106 | |||
| 3100 | ISR_Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-PU1Q4.tmp\_isetup\_setup64.tmp | executable | |
MD5:E4211D6D009757C078A9FAC7FF4F03D4 | SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 | |||
| 3100 | ISR_Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-PU1Q4.tmp\CheckDiskInfo.dll | executable | |
MD5:C95DAE85F733228B21FE3A1160766913 | SHA256:5FAD776C61179D101D1DD48BF30221DB1466D9A683D569382C2C04DDDB55C398 | |||
| 3100 | ISR_Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-PU1Q4.tmp\Inno_English.lng | text | |
MD5:524B7877C76E16D30FD0FE02C2944A28 | SHA256:5E11AE4DD2586E690E90B07F9A9FE40843837853DE0A27500DCFDD27945CDE53 | |||
| 3100 | ISR_Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-PU1Q4.tmp\iScrInit.exe | executable | |
MD5:11EBCF3D4F70D5BA36D46CB0DBF5EFF4 | SHA256:4B098B2E42A5F87C7F9012E61BD22A49D2CF7908E9B400F284A6AC1A6775E5B6 | |||
| 1612 | ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | C:\Users\admin\AppData\Roaming\iTop Screen Recorder\Main.ini | text | |
MD5:FC9AF3BE206ADA4C02EE4D18D8021374 | SHA256:2C88DC7CE8C569C66A63823B0E75CDCE9DE6D93B874E75825D927605293788C0 | |||
| 6392 | updater.exe | C:\Program Files (x86)\Google\GoogleUpdater\updater.log | text | |
MD5:98F66BE540D4F02E5B66DEA116875A4A | SHA256:C72065150F138CCD1BD73120555493A88BDF3BC0B013F92C9C58E23C0E1A3B5C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
54
DNS requests
22
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.14:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.16.241.14:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 206 | 23.50.131.79:443 | https://update.itopupdate.com/infofiles/isr/rmd/installer.zlb | unknown | binary | 53.5 Kb | unknown |
— | — | GET | 304 | 20.12.23.50:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
— | — | GET | 200 | 20.12.23.50:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | compressed | 23.9 Kb | whitelisted |
— | — | GET | 200 | 52.206.118.116:443 | https://stats.reportcpanel.com/multi_app_new.php?action=get-token | unknown | text | 24 b | unknown |
— | — | GET | 200 | 23.48.23.5:443 | https://update.itopupdate.com/infofiles/isr/rmd/dl-info.upt | unknown | text | 338 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.16.241.14:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 2.16.241.14:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1612 | ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | 23.32.238.89:443 | update.itopupdate.com | Akamai International B.V. | DE | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
update.itopupdate.com |
| unknown |
update.iobit.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | 8888 |
ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | 6666 |
ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | 33333 |
ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | Win32MinorVersion: 0 |
ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | 7777 |
ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | ********** FLanguageName: English |
ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | CheckDiskSpace: 4 |
ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | CheckDiskSpace: 4 |
ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | LoadUserConfig: 2_2 |
ed8cec11c59045b09945cf8b6369687d9acaaacf6d00ba0c6f6d5870099c46d4.exe | GetDownloadPath: 1 |