| File name: | IONSetup v3.2.25092.01.exe |
| Full analysis: | https://app.any.run/tasks/1113102d-8e4e-4d83-a480-5d078ea44187 |
| Verdict: | Malicious activity |
| Analysis date: | May 19, 2025, 17:01:29 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | 4DC5CF71A9E0E59B6406DC1A27624D7D |
| SHA1: | 7051BE34C86B23DA13EF8DCF8136D33A6F125839 |
| SHA256: | 5BB33D1C935823414061F5B63EA865537768C70A5C9BDE6677ACE1DCFC30D0EF |
| SSDEEP: | 98304:ihUhnNBM/u74MsUQgzxgeoNXod1ee3p/Fd17CVUiHxYOKd7PUmEWJQH8a0Xbe/28:wc3oUIgHesN1FBFnCfI2uiTisFMRM |
MALICIOUS
Executing a file with an untrusted certificate
- IONSetup v3.2.25092.01.exe (PID: 7452)
- IONSetup v3.2.25092.01.exe (PID: 7352)
- Setup.exe (PID: 7608)
SUSPICIOUS
Executable content was dropped or overwritten
- IONSetup v3.2.25092.01.exe (PID: 7452)
- Setup.exe (PID: 7608)
Process drops legitimate windows executable
- IONSetup v3.2.25092.01.exe (PID: 7452)
- Setup.exe (PID: 7608)
- msiexec.exe (PID: 4880)
Reads security settings of Internet Explorer
- Setup.exe (PID: 7608)
Reads Microsoft Outlook installation path
- Setup.exe (PID: 7608)
Reads Internet Explorer settings
- Setup.exe (PID: 7608)
Executes as Windows Service
- VSSVC.exe (PID: 1672)
The process drops C-runtime libraries
- msiexec.exe (PID: 4880)
INFO
Reads the computer name
- IONSetup v3.2.25092.01.exe (PID: 7452)
- Setup.exe (PID: 7608)
- msiexec.exe (PID: 4880)
Checks supported languages
- IONSetup v3.2.25092.01.exe (PID: 7452)
- Setup.exe (PID: 7608)
- msiexec.exe (PID: 4880)
Create files in a temporary directory
- IONSetup v3.2.25092.01.exe (PID: 7452)
- Setup.exe (PID: 7608)
Reads the machine GUID from the registry
- Setup.exe (PID: 7608)
Manages system restore points
- SrTasks.exe (PID: 7260)
- SrTasks.exe (PID: 7972)
- SrTasks.exe (PID: 3008)
Checks proxy server information
- Setup.exe (PID: 7608)
Creates files in the program directory
- Setup.exe (PID: 7608)
The sample compiled with english language support
- msiexec.exe (PID: 4880)
Executable content was dropped or overwritten
- msiexec.exe (PID: 4880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2010:11:18 16:27:35+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 104960 |
| InitializedDataSize: | 68608 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x14b04 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | - |
| FileDescription: | - |
| FileVersion: | 1.0.0.0 |
| InternalName: | se7zS.sfx |
| LegalCopyright: | Copyright (c) 2013 |
| OriginalFileName: | 7zS.sfx.exe |
| ProductName: | - |
| ProductVersion: | 1.0.0.0 |
Total processes
148
Monitored processes
14
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 632 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1568 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1672 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3008 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:13 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4880 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6564 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7260 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 2147942487 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7352 | "C:\Users\admin\AppData\Local\Temp\IONSetup v3.2.25092.01.exe" | C:\Users\admin\AppData\Local\Temp\IONSetup v3.2.25092.01.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Version: 1.0.0.0 Modules
| |||||||||||||||
| 7452 | "C:\Users\admin\AppData\Local\Temp\IONSetup v3.2.25092.01.exe" | C:\Users\admin\AppData\Local\Temp\IONSetup v3.2.25092.01.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Version: 1.0.0.0 Modules
| |||||||||||||||
| 7484 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
23 604
Read events
15 841
Write events
7 719
Delete events
44
Modification events
| (PID) Process: | (7608) Setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7608) Setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7608) Setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (7608) Setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch |
| Operation: | write | Name: | Version |
Value: WS not running | |||
| (PID) Process: | (7608) Setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | DisableFirstRunCustomize |
Value: 1 | |||
| (PID) Process: | (4880) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 480000000000000015FFDBBDDFC8DB0110130000F8040000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4880) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 480000000000000015FFDBBDDFC8DB0110130000F8040000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4880) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 480000000000000020CD1EBEDFC8DB0110130000F8040000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4880) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 480000000000000094691CBEDFC8DB0110130000F8040000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4880) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 480000000000000094691CBEDFC8DB0110130000F8040000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
3 340
Suspicious files
342
Text files
161
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7452 | IONSetup v3.2.25092.01.exe | C:\Users\admin\AppData\Local\Temp\7zSBAC6.tmp\ION\setup\Installers\IONE_x86.msi | — | |
MD5:— | SHA256:— | |||
| 7452 | IONSetup v3.2.25092.01.exe | C:\Users\admin\AppData\Local\Temp\7zSBAC6.tmp\ION\setup\Installers\ProgramFiles_x86.msi | — | |
MD5:— | SHA256:— | |||
| 7452 | IONSetup v3.2.25092.01.exe | C:\Users\admin\AppData\Local\Temp\7zSBAC6.tmp\ION\setup\Installers\ProgramData_x86.msi | executable | |
MD5:48A9CF3B27C1F55F2DB931FF496B3394 | SHA256:94BB791C1D7C48842A343B99D3C2C205530B7661CFAFB7D864E5052181F75E2C | |||
| 7452 | IONSetup v3.2.25092.01.exe | C:\Users\admin\AppData\Local\Temp\7zSBAC6.tmp\ION\setup\Images\Fail.png | image | |
MD5:4DDAFAA79ADF1A9E676A1AAA2D34095F | SHA256:14F6A94257E5F86121E57F12D47674933B22844C9615271EE7D746FD6205E47E | |||
| 7452 | IONSetup v3.2.25092.01.exe | C:\Users\admin\AppData\Local\Temp\7zSBAC6.tmp\ION\setup\Images\Awaiting.png | image | |
MD5:C65BF899AA9956E3350820705F60C88C | SHA256:74E5A913AF0E8F5B330BABC4613F50FA73A2616AFB253BC0E0A7A73C26C700CF | |||
| 7452 | IONSetup v3.2.25092.01.exe | C:\Users\admin\AppData\Local\Temp\7zSBAC6.tmp\ION\setup\Images\CompanyLogo.gif | image | |
MD5:4331F43407A9C4DA27B98C0DB12C44FE | SHA256:7086BE557FD7599FD91166D41FD879ADFE04E22407DF32F71497FEC2F68EFABF | |||
| 7452 | IONSetup v3.2.25092.01.exe | C:\Users\admin\AppData\Local\Temp\7zSBAC6.tmp\ION\setup\Images\White_Arrow.png | image | |
MD5:75E66DABE2829407762AA1B309DB4A01 | SHA256:B7C5A3485A014A7192B599F1E7C95564D2CCB5B8B4C2FF748073BAEE333C483A | |||
| 7452 | IONSetup v3.2.25092.01.exe | C:\Users\admin\AppData\Local\Temp\7zSBAC6.tmp\ION\setup\Images\Success.png | image | |
MD5:88B650B2D06FED4F929195649CE128DF | SHA256:5971E3C769295FFB548A425D88D0F8209F7FBAAD1CF083E264B2D54923610C69 | |||
| 7452 | IONSetup v3.2.25092.01.exe | C:\Users\admin\AppData\Local\Temp\7zSBAC6.tmp\ION\setup\Images\Warning.png | image | |
MD5:BA149C0D0B49EAA481A90C59DD74D26B | SHA256:173BF630968466585055827A9ACE32F5E6758CA99BB8452AEE485F300C06C1B1 | |||
| 7452 | IONSetup v3.2.25092.01.exe | C:\Users\admin\AppData\Local\Temp\7zSBAC6.tmp\ION\setup\broker.xml | xml | |
MD5:12C9FF6FCD648A244C505D64CDB2CF8A | SHA256:6473241CE1C7AB03943EF442330B7DEE06940FFC15D2013A9219B0D66410921C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
32
DNS requests
18
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.30:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2104 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6640 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
6640 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.216.77.30:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5496 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2104 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 20.190.160.128:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |