| File name: | 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe |
| Full analysis: | https://app.any.run/tasks/8c02c0eb-a9f6-42bb-b8ad-216631dad807 |
| Verdict: | Malicious activity |
| Analysis date: | May 21, 2024, 02:16:49 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 20B71D9DA27BEC702E901AAF7F44FFB0 |
| SHA1: | B613AA8E8E022FC4BFFEFAE9419CAF35A5E8CA2F |
| SHA256: | 3CC86FFA9CBDA978789C4CC22E7F93FFAB62EB5B7F77C0A94D3771FA2F3EDCD0 |
| SSDEEP: | 6144://JZVQ83chNfrlWjHhbCl7nq/q8s3FE0668:/dfiliA7q/EJ668 |
MALICIOUS
Drops the executable file immediately after the start
- powershell.exe (PID: 708)
- Fngdik32.exe (PID: 5752)
- 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe (PID: 1604)
- Fealeeon.exe (PID: 5824)
- Fgphaqnb.exe (PID: 2528)
- Fmlajgli.exe (PID: 4280)
- Fecikeml.exe (PID: 2600)
- Flnahodh.exe (PID: 5996)
- Fciflaac.exe (PID: 3528)
- Flpnmobf.exe (PID: 5900)
- Gamfeepm.exe (PID: 3916)
- Fajjpfbp.exe (PID: 4852)
- Gnqgoj32.exe (PID: 2540)
- Gckbaapa.exe (PID: 4264)
- Gekoldgc.exe (PID: 1492)
- Ghikhofg.exe (PID: 3700)
- Gjggdkek.exe (PID: 4072)
- Gaapqe32.exe (PID: 5012)
- Ghkhmodd.exe (PID: 2524)
- Glgdnnln.exe (PID: 1512)
- Geohgc32.exe (PID: 5092)
- Gddehpgf.exe (PID: 3376)
- Gliqcmjk.exe (PID: 1428)
- Gllmimhh.exe (PID: 2592)
- Gmjmke32.exe (PID: 4024)
- Gnjjeh32.exe (PID: 4480)
- Hahfad32.exe (PID: 6168)
- Hjqjjimp.exe (PID: 6184)
- Hefogbmf.exe (PID: 6224)
- Hjcgpikn.exe (PID: 6244)
- Hmacld32.exe (PID: 6268)
- Hmoffeld.exe (PID: 6204)
- Hkedei32.exe (PID: 6312)
- Hmdpad32.exe (PID: 6332)
- Hekhba32.exe (PID: 6352)
- Hdkkhoan.exe (PID: 6292)
- Hoclkgoa.exe (PID: 6372)
- Habigb32.exe (PID: 6392)
- Hdpecn32.exe (PID: 6412)
- Ihnnjlco.exe (PID: 6472)
- Iofiag32.exe (PID: 6432)
- Iademb32.exe (PID: 6452)
- Idenomic.exe (PID: 6512)
- Illfpkjf.exe (PID: 6532)
- Iedkip32.exe (PID: 6552)
- Iohfff32.exe (PID: 6492)
- Imppmb32.exe (PID: 6596)
- Idihjm32.exe (PID: 6616)
- Ilncejhc.exe (PID: 6572)
- Japeiq32.exe (PID: 6696)
- Imblbblo.exe (PID: 6636)
- Ieiddpla.exe (PID: 6656)
- Joaime32.exe (PID: 6676)
- Jnfena32.exe (PID: 6736)
- Jdqnjlof.exe (PID: 6756)
- Jkhiaf32.exe (PID: 6716)
- Jepjdo32.exe (PID: 6796)
- Jljbah32.exe (PID: 6816)
- Johomd32.exe (PID: 6836)
- Jkjfgf32.exe (PID: 6776)
- Jllogh32.exe (PID: 6876)
- Jnnlnqaa.exe (PID: 6896)
- Jebgjndf.exe (PID: 6856)
- Jhcpliag.exe (PID: 6916)
- Knphdp32.exe (PID: 6936)
- Kegqem32.exe (PID: 6956)
- Kkdimd32.exe (PID: 6976)
- Keimkm32.exe (PID: 7016)
- Kkfecd32.exe (PID: 7036)
- Kapnpn32.exe (PID: 7056)
- Kopencfa.exe (PID: 6996)
Creates a writable file in the system directory
- 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe (PID: 1604)
- Fngdik32.exe (PID: 5752)
- Fealeeon.exe (PID: 5824)
- Fgphaqnb.exe (PID: 2528)
- Fmlajgli.exe (PID: 4280)
- Fecikeml.exe (PID: 2600)
- Flnahodh.exe (PID: 5996)
- Gamfeepm.exe (PID: 3916)
- Fciflaac.exe (PID: 3528)
- Flpnmobf.exe (PID: 5900)
- Fajjpfbp.exe (PID: 4852)
- Gckbaapa.exe (PID: 4264)
- Gnqgoj32.exe (PID: 2540)
- Gekoldgc.exe (PID: 1492)
- Gaapqe32.exe (PID: 5012)
- Gjggdkek.exe (PID: 4072)
- Ghkhmodd.exe (PID: 2524)
- Ghikhofg.exe (PID: 3700)
- Glgdnnln.exe (PID: 1512)
- Geohgc32.exe (PID: 5092)
- Gmjmke32.exe (PID: 4024)
- Gddehpgf.exe (PID: 3376)
- Gliqcmjk.exe (PID: 1428)
- Gllmimhh.exe (PID: 2592)
- Gnjjeh32.exe (PID: 4480)
- Hahfad32.exe (PID: 6168)
- Hjqjjimp.exe (PID: 6184)
- Hmoffeld.exe (PID: 6204)
- Hefogbmf.exe (PID: 6224)
- Hmacld32.exe (PID: 6268)
- Hdkkhoan.exe (PID: 6292)
- Hjcgpikn.exe (PID: 6244)
- Hkedei32.exe (PID: 6312)
- Hmdpad32.exe (PID: 6332)
- Hekhba32.exe (PID: 6352)
- Habigb32.exe (PID: 6392)
- Hdpecn32.exe (PID: 6412)
- Hoclkgoa.exe (PID: 6372)
- Iademb32.exe (PID: 6452)
- Iohfff32.exe (PID: 6492)
- Ihnnjlco.exe (PID: 6472)
- Iofiag32.exe (PID: 6432)
- Illfpkjf.exe (PID: 6532)
- Idenomic.exe (PID: 6512)
- Ilncejhc.exe (PID: 6572)
- Imppmb32.exe (PID: 6596)
- Idihjm32.exe (PID: 6616)
- Imblbblo.exe (PID: 6636)
- Iedkip32.exe (PID: 6552)
- Ieiddpla.exe (PID: 6656)
- Joaime32.exe (PID: 6676)
- Japeiq32.exe (PID: 6696)
- Jkhiaf32.exe (PID: 6716)
- Jnfena32.exe (PID: 6736)
- Jdqnjlof.exe (PID: 6756)
- Jkjfgf32.exe (PID: 6776)
- Jepjdo32.exe (PID: 6796)
- Jljbah32.exe (PID: 6816)
- Johomd32.exe (PID: 6836)
- Jebgjndf.exe (PID: 6856)
- Jllogh32.exe (PID: 6876)
- Jnnlnqaa.exe (PID: 6896)
- Jhcpliag.exe (PID: 6916)
- Knphdp32.exe (PID: 6936)
- Kkdimd32.exe (PID: 6976)
- Kopencfa.exe (PID: 6996)
- Kegqem32.exe (PID: 6956)
- Kapnpn32.exe (PID: 7056)
- Keimkm32.exe (PID: 7016)
- Kkfecd32.exe (PID: 7036)
SUSPICIOUS
Creates/Modifies COM task schedule object
- 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe (PID: 1604)
- Fngdik32.exe (PID: 5752)
- Fealeeon.exe (PID: 5824)
- Fmlajgli.exe (PID: 4280)
- Fecikeml.exe (PID: 2600)
- Flnahodh.exe (PID: 5996)
- Fgphaqnb.exe (PID: 2528)
- Flpnmobf.exe (PID: 5900)
- Fajjpfbp.exe (PID: 4852)
- Fciflaac.exe (PID: 3528)
- Gekoldgc.exe (PID: 1492)
- Gnqgoj32.exe (PID: 2540)
- Gamfeepm.exe (PID: 3916)
- Gckbaapa.exe (PID: 4264)
- Gjggdkek.exe (PID: 4072)
- Gaapqe32.exe (PID: 5012)
- Ghikhofg.exe (PID: 3700)
- Glgdnnln.exe (PID: 1512)
- Geohgc32.exe (PID: 5092)
- Ghkhmodd.exe (PID: 2524)
- Gddehpgf.exe (PID: 3376)
- Gliqcmjk.exe (PID: 1428)
- Gmjmke32.exe (PID: 4024)
- Gnjjeh32.exe (PID: 4480)
- Hahfad32.exe (PID: 6168)
- Hjqjjimp.exe (PID: 6184)
- Gllmimhh.exe (PID: 2592)
- Hmoffeld.exe (PID: 6204)
- Hefogbmf.exe (PID: 6224)
- Hmacld32.exe (PID: 6268)
- Hjcgpikn.exe (PID: 6244)
- Hdkkhoan.exe (PID: 6292)
- Hmdpad32.exe (PID: 6332)
- Hkedei32.exe (PID: 6312)
- Hekhba32.exe (PID: 6352)
- Hoclkgoa.exe (PID: 6372)
- Habigb32.exe (PID: 6392)
- Hdpecn32.exe (PID: 6412)
- Iademb32.exe (PID: 6452)
- Ihnnjlco.exe (PID: 6472)
- Iofiag32.exe (PID: 6432)
- Idenomic.exe (PID: 6512)
- Illfpkjf.exe (PID: 6532)
- Iedkip32.exe (PID: 6552)
- Iohfff32.exe (PID: 6492)
- Ilncejhc.exe (PID: 6572)
- Idihjm32.exe (PID: 6616)
- Imppmb32.exe (PID: 6596)
- Ieiddpla.exe (PID: 6656)
- Joaime32.exe (PID: 6676)
- Imblbblo.exe (PID: 6636)
- Jkhiaf32.exe (PID: 6716)
- Jnfena32.exe (PID: 6736)
- Jdqnjlof.exe (PID: 6756)
- Japeiq32.exe (PID: 6696)
- Jepjdo32.exe (PID: 6796)
- Johomd32.exe (PID: 6836)
- Jkjfgf32.exe (PID: 6776)
- Jljbah32.exe (PID: 6816)
- Jebgjndf.exe (PID: 6856)
- Jllogh32.exe (PID: 6876)
- Jnnlnqaa.exe (PID: 6896)
- Jhcpliag.exe (PID: 6916)
- Knphdp32.exe (PID: 6936)
- Kegqem32.exe (PID: 6956)
- Kkdimd32.exe (PID: 6976)
- Keimkm32.exe (PID: 7016)
- Kkfecd32.exe (PID: 7036)
- Kapnpn32.exe (PID: 7056)
- Kopencfa.exe (PID: 6996)
Executable content was dropped or overwritten
- 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe (PID: 1604)
- Fngdik32.exe (PID: 5752)
- Fealeeon.exe (PID: 5824)
- Fgphaqnb.exe (PID: 2528)
- Fmlajgli.exe (PID: 4280)
- Fecikeml.exe (PID: 2600)
- Flnahodh.exe (PID: 5996)
- Fciflaac.exe (PID: 3528)
- Flpnmobf.exe (PID: 5900)
- Gamfeepm.exe (PID: 3916)
- Fajjpfbp.exe (PID: 4852)
- Gckbaapa.exe (PID: 4264)
- Gekoldgc.exe (PID: 1492)
- Gnqgoj32.exe (PID: 2540)
- Gaapqe32.exe (PID: 5012)
- Gjggdkek.exe (PID: 4072)
- Ghkhmodd.exe (PID: 2524)
- Ghikhofg.exe (PID: 3700)
- Glgdnnln.exe (PID: 1512)
- Geohgc32.exe (PID: 5092)
- Gliqcmjk.exe (PID: 1428)
- Gmjmke32.exe (PID: 4024)
- Gddehpgf.exe (PID: 3376)
- Gllmimhh.exe (PID: 2592)
- Hahfad32.exe (PID: 6168)
- Hjqjjimp.exe (PID: 6184)
- Gnjjeh32.exe (PID: 4480)
- Hefogbmf.exe (PID: 6224)
- Hjcgpikn.exe (PID: 6244)
- Hmacld32.exe (PID: 6268)
- Hmoffeld.exe (PID: 6204)
- Hdkkhoan.exe (PID: 6292)
- Hmdpad32.exe (PID: 6332)
- Hkedei32.exe (PID: 6312)
- Hekhba32.exe (PID: 6352)
- Habigb32.exe (PID: 6392)
- Hdpecn32.exe (PID: 6412)
- Hoclkgoa.exe (PID: 6372)
- Iademb32.exe (PID: 6452)
- Ihnnjlco.exe (PID: 6472)
- Iohfff32.exe (PID: 6492)
- Iofiag32.exe (PID: 6432)
- Idenomic.exe (PID: 6512)
- Illfpkjf.exe (PID: 6532)
- Iedkip32.exe (PID: 6552)
- Idihjm32.exe (PID: 6616)
- Imblbblo.exe (PID: 6636)
- Ilncejhc.exe (PID: 6572)
- Imppmb32.exe (PID: 6596)
- Ieiddpla.exe (PID: 6656)
- Joaime32.exe (PID: 6676)
- Japeiq32.exe (PID: 6696)
- Jnfena32.exe (PID: 6736)
- Jdqnjlof.exe (PID: 6756)
- Jkjfgf32.exe (PID: 6776)
- Jkhiaf32.exe (PID: 6716)
- Jepjdo32.exe (PID: 6796)
- Jljbah32.exe (PID: 6816)
- Johomd32.exe (PID: 6836)
- Jllogh32.exe (PID: 6876)
- Jnnlnqaa.exe (PID: 6896)
- Jhcpliag.exe (PID: 6916)
- Jebgjndf.exe (PID: 6856)
- Kegqem32.exe (PID: 6956)
- Kkdimd32.exe (PID: 6976)
- Kopencfa.exe (PID: 6996)
- Knphdp32.exe (PID: 6936)
- Keimkm32.exe (PID: 7016)
- Kkfecd32.exe (PID: 7036)
- Kapnpn32.exe (PID: 7056)
Executes application which crashes
- Klfbmg32.exe (PID: 7076)
INFO
Checks supported languages
- 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe (PID: 1604)
- Fngdik32.exe (PID: 5752)
- Fealeeon.exe (PID: 5824)
- Fgphaqnb.exe (PID: 2528)
- Fmlajgli.exe (PID: 4280)
- Fecikeml.exe (PID: 2600)
- Flnahodh.exe (PID: 5996)
- Fciflaac.exe (PID: 3528)
- Flpnmobf.exe (PID: 5900)
- Gamfeepm.exe (PID: 3916)
- Fajjpfbp.exe (PID: 4852)
- Gckbaapa.exe (PID: 4264)
- Gnqgoj32.exe (PID: 2540)
- Gekoldgc.exe (PID: 1492)
- Gjggdkek.exe (PID: 4072)
- Gaapqe32.exe (PID: 5012)
- Ghkhmodd.exe (PID: 2524)
- Ghikhofg.exe (PID: 3700)
- Geohgc32.exe (PID: 5092)
- Glgdnnln.exe (PID: 1512)
- Gmjmke32.exe (PID: 4024)
- Gliqcmjk.exe (PID: 1428)
- Gddehpgf.exe (PID: 3376)
- Gllmimhh.exe (PID: 2592)
- Gnjjeh32.exe (PID: 4480)
- Hahfad32.exe (PID: 6168)
- Hjqjjimp.exe (PID: 6184)
- Hmoffeld.exe (PID: 6204)
- Hefogbmf.exe (PID: 6224)
- Hmacld32.exe (PID: 6268)
- Hjcgpikn.exe (PID: 6244)
- Hkedei32.exe (PID: 6312)
- Hmdpad32.exe (PID: 6332)
- Hekhba32.exe (PID: 6352)
- Hdkkhoan.exe (PID: 6292)
- Hoclkgoa.exe (PID: 6372)
- Habigb32.exe (PID: 6392)
- Hdpecn32.exe (PID: 6412)
- Iofiag32.exe (PID: 6432)
- Iademb32.exe (PID: 6452)
- Ihnnjlco.exe (PID: 6472)
- Iohfff32.exe (PID: 6492)
- Illfpkjf.exe (PID: 6532)
- Iedkip32.exe (PID: 6552)
- Ilncejhc.exe (PID: 6572)
- Idenomic.exe (PID: 6512)
- Imppmb32.exe (PID: 6596)
- Idihjm32.exe (PID: 6616)
- Imblbblo.exe (PID: 6636)
- Joaime32.exe (PID: 6676)
- Japeiq32.exe (PID: 6696)
- Jkhiaf32.exe (PID: 6716)
- Ieiddpla.exe (PID: 6656)
- Jnfena32.exe (PID: 6736)
- Jdqnjlof.exe (PID: 6756)
- Jkjfgf32.exe (PID: 6776)
- Johomd32.exe (PID: 6836)
- Jebgjndf.exe (PID: 6856)
- Jepjdo32.exe (PID: 6796)
- Jljbah32.exe (PID: 6816)
- Jllogh32.exe (PID: 6876)
- Jnnlnqaa.exe (PID: 6896)
- Jhcpliag.exe (PID: 6916)
- Kkdimd32.exe (PID: 6976)
- Kopencfa.exe (PID: 6996)
- Knphdp32.exe (PID: 6936)
- Kegqem32.exe (PID: 6956)
- Keimkm32.exe (PID: 7016)
- Kkfecd32.exe (PID: 7036)
- Kapnpn32.exe (PID: 7056)
- Klfbmg32.exe (PID: 7076)
Reads the software policy settings
- WerFault.exe (PID: 7160)
Checks proxy server information
- WerFault.exe (PID: 7160)
Creates files or folders in the user directory
- WerFault.exe (PID: 7160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (49.4) |
|---|---|---|
| .scr | | | Windows screen saver (23.4) |
| .dll | | | Win32 Dynamic Link Library (generic) (11.7) |
| .exe | | | Win32 Executable (generic) (8) |
| .exe | | | Generic Win/DOS Executable (3.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1976:08:18 05:39:38+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 2.55 |
| CodeSize: | 53248 |
| InitializedDataSize: | 18944 |
| UninitializedDataSize: | 125440 |
| EntryPoint: | 0x33000 |
| OSVersion: | 1 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
192
Monitored processes
75
Malicious processes
69
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 708 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1428 | C:\WINDOWS\system32\Gliqcmjk.exe | C:\Windows\SysWOW64\Gliqcmjk.exe | Geohgc32.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 1492 | C:\WINDOWS\system32\Gekoldgc.exe | C:\Windows\SysWOW64\Gekoldgc.exe | Gnqgoj32.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 1512 | C:\WINDOWS\system32\Glgdnnln.exe | C:\Windows\SysWOW64\Glgdnnln.exe | Ghkhmodd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 1604 | "C:\Users\admin\Desktop\3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe" | C:\Users\admin\Desktop\3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | powershell.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 2524 | C:\WINDOWS\system32\Ghkhmodd.exe | C:\Windows\SysWOW64\Ghkhmodd.exe | Gaapqe32.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 2528 | C:\WINDOWS\system32\Fgphaqnb.exe | C:\Windows\SysWOW64\Fgphaqnb.exe | Fealeeon.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 2540 | C:\WINDOWS\system32\Gnqgoj32.exe | C:\Windows\SysWOW64\Gnqgoj32.exe | Gckbaapa.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 2592 | C:\WINDOWS\system32\Gllmimhh.exe | C:\Windows\SysWOW64\Gllmimhh.exe | Gddehpgf.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 2600 | C:\WINDOWS\system32\Fecikeml.exe | C:\Windows\SysWOW64\Fecikeml.exe | Fmlajgli.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
Total events
17 904
Read events
17 729
Write events
172
Delete events
3
Modification events
| (PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1604) 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Apartment | |||
| (PID) Process: | (1604) 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
| Operation: | write | Name: | Web Event Logger |
Value: {79FAA099-1BAE-816E-D711-115290CEE717} | |||
| (PID) Process: | (5752) Fngdik32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Apartment | |||
| (PID) Process: | (5752) Fngdik32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
| Operation: | write | Name: | Web Event Logger |
Value: {79FAA099-1BAE-816E-D711-115290CEE717} | |||
| (PID) Process: | (5824) Fealeeon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Apartment | |||
| (PID) Process: | (5824) Fealeeon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
| Operation: | write | Name: | Web Event Logger |
Value: {79FAA099-1BAE-816E-D711-115290CEE717} | |||
Executable files
140
Suspicious files
8
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 708 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | — | |
MD5:— | SHA256:— | |||
| 708 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ywsxllbd.dpj.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 708 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VFUWOQ5ZFUV4E0V0QKN4.temp | binary | |
MD5:C4BD57DF0CE27469FB775EBE84E25100 | SHA256:8F0A5EA9418F0327F8FEDC1AF6D1C1E554D09690F685B75A633DC5A390D0A2DE | |||
| 708 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ydy321ab.wt5.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 708 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF114b5e.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
| 5996 | Flnahodh.exe | C:\WINDOWS\SysWOW64\Mfnbjb32.dll | executable | |
MD5:668BB9F9F97DF16CDEAF5B13F86197AA | SHA256:D5F620027AD476B2C872C244C1F8967720EF03AA7B264A8D4EBA6C15B4ACE1A1 | |||
| 4852 | Fajjpfbp.exe | C:\WINDOWS\SysWOW64\Fciflaac.exe | executable | |
MD5:CC964BD6785E2B7EA7C4929959A516E6 | SHA256:CA098FB71FB696CF1D70F8EE3594371A2CCC6F0A045ACA5D945D459080E31BCB | |||
| 5824 | Fealeeon.exe | C:\WINDOWS\SysWOW64\Nioohggo.dll | executable | |
MD5:470FFDB9CA997DC1E3EC5CE9EA69DB22 | SHA256:3A144A9BF325CDFE7D8C9206247E4606ADD1AC435E5194D1C10D5AAA88857974 | |||
| 5996 | Flnahodh.exe | C:\WINDOWS\SysWOW64\Fajjpfbp.exe | executable | |
MD5:D40EA2D8B14C1E9267AAABB605AF23F8 | SHA256:F0F7FE45FDED612A6B164DB332DA8B2AEC6E4460FA52F55BEA87C95355608B12 | |||
| 4280 | Fmlajgli.exe | C:\WINDOWS\SysWOW64\Fecikeml.exe | executable | |
MD5:16BC9F3F73604AB1C39348FF3D1672B6 | SHA256:555E6679BB14CFB5DEC15CD02847BBA6F1DF3C5D72AA0B8C9CA6795E123DB868 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5548 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5996 | RUXIMICS.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5548 | svchost.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5996 | RUXIMICS.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
2908 | OfficeClickToRun.exe | POST | 200 | 52.168.112.67:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5548 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5996 | RUXIMICS.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5140 | MoUsoCoreWorker.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5548 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5996 | RUXIMICS.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5140 | MoUsoCoreWorker.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5548 | svchost.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5996 | RUXIMICS.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5140 | MoUsoCoreWorker.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5140 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |