analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe |
| Full analysis: | https://app.any.run/tasks/8c02c0eb-a9f6-42bb-b8ad-216631dad807 |
| Verdict: | Malicious activity |
| Analysis date: | May 21, 2024, 02:16:49 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 20B71D9DA27BEC702E901AAF7F44FFB0 |
| SHA1: | B613AA8E8E022FC4BFFEFAE9419CAF35A5E8CA2F |
| SHA256: | 3CC86FFA9CBDA978789C4CC22E7F93FFAB62EB5B7F77C0A94D3771FA2F3EDCD0 |
| SSDEEP: | 6144://JZVQ83chNfrlWjHhbCl7nq/q8s3FE0668:/dfiliA7q/EJ668 |
MALICIOUS
Creates a writable file in the system directory
- 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe (PID: 1604)
- Fngdik32.exe (PID: 5752)
- Fealeeon.exe (PID: 5824)
- Fgphaqnb.exe (PID: 2528)
- Fmlajgli.exe (PID: 4280)
- Flnahodh.exe (PID: 5996)
- Fecikeml.exe (PID: 2600)
- Fajjpfbp.exe (PID: 4852)
- Fciflaac.exe (PID: 3528)
- Flpnmobf.exe (PID: 5900)
- Gckbaapa.exe (PID: 4264)
- Gamfeepm.exe (PID: 3916)
- Gnqgoj32.exe (PID: 2540)
- Gekoldgc.exe (PID: 1492)
- Ghikhofg.exe (PID: 3700)
- Gjggdkek.exe (PID: 4072)
- Gaapqe32.exe (PID: 5012)
- Ghkhmodd.exe (PID: 2524)
- Glgdnnln.exe (PID: 1512)
- Geohgc32.exe (PID: 5092)
- Gliqcmjk.exe (PID: 1428)
- Gmjmke32.exe (PID: 4024)
- Gddehpgf.exe (PID: 3376)
- Gnjjeh32.exe (PID: 4480)
- Gllmimhh.exe (PID: 2592)
- Hjqjjimp.exe (PID: 6184)
- Hmoffeld.exe (PID: 6204)
- Hahfad32.exe (PID: 6168)
- Hefogbmf.exe (PID: 6224)
- Hmacld32.exe (PID: 6268)
- Hjcgpikn.exe (PID: 6244)
- Hdkkhoan.exe (PID: 6292)
- Hkedei32.exe (PID: 6312)
- Hekhba32.exe (PID: 6352)
- Hoclkgoa.exe (PID: 6372)
- Hmdpad32.exe (PID: 6332)
- Habigb32.exe (PID: 6392)
- Hdpecn32.exe (PID: 6412)
- Iofiag32.exe (PID: 6432)
- Ihnnjlco.exe (PID: 6472)
- Iademb32.exe (PID: 6452)
- Iohfff32.exe (PID: 6492)
- Idenomic.exe (PID: 6512)
- Illfpkjf.exe (PID: 6532)
- Iedkip32.exe (PID: 6552)
- Ilncejhc.exe (PID: 6572)
- Imppmb32.exe (PID: 6596)
- Imblbblo.exe (PID: 6636)
- Idihjm32.exe (PID: 6616)
- Ieiddpla.exe (PID: 6656)
- Joaime32.exe (PID: 6676)
- Japeiq32.exe (PID: 6696)
- Jkhiaf32.exe (PID: 6716)
- Jnfena32.exe (PID: 6736)
- Jkjfgf32.exe (PID: 6776)
- Jdqnjlof.exe (PID: 6756)
- Jepjdo32.exe (PID: 6796)
- Jljbah32.exe (PID: 6816)
- Johomd32.exe (PID: 6836)
- Jebgjndf.exe (PID: 6856)
- Jllogh32.exe (PID: 6876)
- Jhcpliag.exe (PID: 6916)
- Jnnlnqaa.exe (PID: 6896)
- Knphdp32.exe (PID: 6936)
- Kkdimd32.exe (PID: 6976)
- Kegqem32.exe (PID: 6956)
- Keimkm32.exe (PID: 7016)
- Kopencfa.exe (PID: 6996)
- Kkfecd32.exe (PID: 7036)
- Kapnpn32.exe (PID: 7056)
Drops the executable file immediately after the start
- Fngdik32.exe (PID: 5752)
- powershell.exe (PID: 708)
- 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe (PID: 1604)
- Fealeeon.exe (PID: 5824)
- Fgphaqnb.exe (PID: 2528)
- Fmlajgli.exe (PID: 4280)
- Fecikeml.exe (PID: 2600)
- Fciflaac.exe (PID: 3528)
- Fajjpfbp.exe (PID: 4852)
- Flnahodh.exe (PID: 5996)
- Gamfeepm.exe (PID: 3916)
- Gckbaapa.exe (PID: 4264)
- Flpnmobf.exe (PID: 5900)
- Ghikhofg.exe (PID: 3700)
- Gekoldgc.exe (PID: 1492)
- Gnqgoj32.exe (PID: 2540)
- Gjggdkek.exe (PID: 4072)
- Ghkhmodd.exe (PID: 2524)
- Gaapqe32.exe (PID: 5012)
- Geohgc32.exe (PID: 5092)
- Gliqcmjk.exe (PID: 1428)
- Glgdnnln.exe (PID: 1512)
- Gmjmke32.exe (PID: 4024)
- Gddehpgf.exe (PID: 3376)
- Gnjjeh32.exe (PID: 4480)
- Gllmimhh.exe (PID: 2592)
- Hjqjjimp.exe (PID: 6184)
- Hahfad32.exe (PID: 6168)
- Hmoffeld.exe (PID: 6204)
- Hefogbmf.exe (PID: 6224)
- Hjcgpikn.exe (PID: 6244)
- Hmacld32.exe (PID: 6268)
- Hdkkhoan.exe (PID: 6292)
- Hkedei32.exe (PID: 6312)
- Hmdpad32.exe (PID: 6332)
- Hekhba32.exe (PID: 6352)
- Hoclkgoa.exe (PID: 6372)
- Habigb32.exe (PID: 6392)
- Iofiag32.exe (PID: 6432)
- Hdpecn32.exe (PID: 6412)
- Iademb32.exe (PID: 6452)
- Ihnnjlco.exe (PID: 6472)
- Idenomic.exe (PID: 6512)
- Iohfff32.exe (PID: 6492)
- Illfpkjf.exe (PID: 6532)
- Iedkip32.exe (PID: 6552)
- Ilncejhc.exe (PID: 6572)
- Imppmb32.exe (PID: 6596)
- Idihjm32.exe (PID: 6616)
- Imblbblo.exe (PID: 6636)
- Ieiddpla.exe (PID: 6656)
- Japeiq32.exe (PID: 6696)
- Joaime32.exe (PID: 6676)
- Jkhiaf32.exe (PID: 6716)
- Jnfena32.exe (PID: 6736)
- Jdqnjlof.exe (PID: 6756)
- Jkjfgf32.exe (PID: 6776)
- Jepjdo32.exe (PID: 6796)
- Jljbah32.exe (PID: 6816)
- Johomd32.exe (PID: 6836)
- Jebgjndf.exe (PID: 6856)
- Jnnlnqaa.exe (PID: 6896)
- Jllogh32.exe (PID: 6876)
- Jhcpliag.exe (PID: 6916)
- Knphdp32.exe (PID: 6936)
- Kegqem32.exe (PID: 6956)
- Kkdimd32.exe (PID: 6976)
- Kopencfa.exe (PID: 6996)
- Keimkm32.exe (PID: 7016)
- Kkfecd32.exe (PID: 7036)
- Kapnpn32.exe (PID: 7056)
SUSPICIOUS
Creates/Modifies COM task schedule object
- 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe (PID: 1604)
- Fngdik32.exe (PID: 5752)
- Fealeeon.exe (PID: 5824)
- Fgphaqnb.exe (PID: 2528)
- Fmlajgli.exe (PID: 4280)
- Fecikeml.exe (PID: 2600)
- Fajjpfbp.exe (PID: 4852)
- Flnahodh.exe (PID: 5996)
- Fciflaac.exe (PID: 3528)
- Flpnmobf.exe (PID: 5900)
- Gamfeepm.exe (PID: 3916)
- Gnqgoj32.exe (PID: 2540)
- Gckbaapa.exe (PID: 4264)
- Gekoldgc.exe (PID: 1492)
- Ghikhofg.exe (PID: 3700)
- Gjggdkek.exe (PID: 4072)
- Ghkhmodd.exe (PID: 2524)
- Gaapqe32.exe (PID: 5012)
- Glgdnnln.exe (PID: 1512)
- Geohgc32.exe (PID: 5092)
- Gliqcmjk.exe (PID: 1428)
- Gllmimhh.exe (PID: 2592)
- Gmjmke32.exe (PID: 4024)
- Gnjjeh32.exe (PID: 4480)
- Gddehpgf.exe (PID: 3376)
- Hmoffeld.exe (PID: 6204)
- Hjqjjimp.exe (PID: 6184)
- Hahfad32.exe (PID: 6168)
- Hmacld32.exe (PID: 6268)
- Hefogbmf.exe (PID: 6224)
- Hjcgpikn.exe (PID: 6244)
- Hkedei32.exe (PID: 6312)
- Hdkkhoan.exe (PID: 6292)
- Hekhba32.exe (PID: 6352)
- Hmdpad32.exe (PID: 6332)
- Hoclkgoa.exe (PID: 6372)
- Habigb32.exe (PID: 6392)
- Hdpecn32.exe (PID: 6412)
- Iofiag32.exe (PID: 6432)
- Iademb32.exe (PID: 6452)
- Ihnnjlco.exe (PID: 6472)
- Iohfff32.exe (PID: 6492)
- Idenomic.exe (PID: 6512)
- Illfpkjf.exe (PID: 6532)
- Iedkip32.exe (PID: 6552)
- Ilncejhc.exe (PID: 6572)
- Imppmb32.exe (PID: 6596)
- Imblbblo.exe (PID: 6636)
- Ieiddpla.exe (PID: 6656)
- Joaime32.exe (PID: 6676)
- Idihjm32.exe (PID: 6616)
- Japeiq32.exe (PID: 6696)
- Jkhiaf32.exe (PID: 6716)
- Jnfena32.exe (PID: 6736)
- Jdqnjlof.exe (PID: 6756)
- Jkjfgf32.exe (PID: 6776)
- Jepjdo32.exe (PID: 6796)
- Jljbah32.exe (PID: 6816)
- Jllogh32.exe (PID: 6876)
- Johomd32.exe (PID: 6836)
- Jnnlnqaa.exe (PID: 6896)
- Jebgjndf.exe (PID: 6856)
- Jhcpliag.exe (PID: 6916)
- Knphdp32.exe (PID: 6936)
- Kkdimd32.exe (PID: 6976)
- Kegqem32.exe (PID: 6956)
- Keimkm32.exe (PID: 7016)
- Kopencfa.exe (PID: 6996)
- Kkfecd32.exe (PID: 7036)
- Kapnpn32.exe (PID: 7056)
Executable content was dropped or overwritten
- 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe (PID: 1604)
- Fngdik32.exe (PID: 5752)
- Fealeeon.exe (PID: 5824)
- Fgphaqnb.exe (PID: 2528)
- Fmlajgli.exe (PID: 4280)
- Fecikeml.exe (PID: 2600)
- Flnahodh.exe (PID: 5996)
- Fajjpfbp.exe (PID: 4852)
- Fciflaac.exe (PID: 3528)
- Flpnmobf.exe (PID: 5900)
- Gamfeepm.exe (PID: 3916)
- Gckbaapa.exe (PID: 4264)
- Gnqgoj32.exe (PID: 2540)
- Gekoldgc.exe (PID: 1492)
- Ghikhofg.exe (PID: 3700)
- Gjggdkek.exe (PID: 4072)
- Gaapqe32.exe (PID: 5012)
- Ghkhmodd.exe (PID: 2524)
- Glgdnnln.exe (PID: 1512)
- Geohgc32.exe (PID: 5092)
- Gliqcmjk.exe (PID: 1428)
- Gmjmke32.exe (PID: 4024)
- Gddehpgf.exe (PID: 3376)
- Gllmimhh.exe (PID: 2592)
- Gnjjeh32.exe (PID: 4480)
- Hahfad32.exe (PID: 6168)
- Hjqjjimp.exe (PID: 6184)
- Hmoffeld.exe (PID: 6204)
- Hefogbmf.exe (PID: 6224)
- Hjcgpikn.exe (PID: 6244)
- Hdkkhoan.exe (PID: 6292)
- Hmacld32.exe (PID: 6268)
- Hkedei32.exe (PID: 6312)
- Hmdpad32.exe (PID: 6332)
- Hekhba32.exe (PID: 6352)
- Hoclkgoa.exe (PID: 6372)
- Habigb32.exe (PID: 6392)
- Hdpecn32.exe (PID: 6412)
- Iofiag32.exe (PID: 6432)
- Iademb32.exe (PID: 6452)
- Ihnnjlco.exe (PID: 6472)
- Iohfff32.exe (PID: 6492)
- Idenomic.exe (PID: 6512)
- Illfpkjf.exe (PID: 6532)
- Ilncejhc.exe (PID: 6572)
- Iedkip32.exe (PID: 6552)
- Imppmb32.exe (PID: 6596)
- Idihjm32.exe (PID: 6616)
- Ieiddpla.exe (PID: 6656)
- Imblbblo.exe (PID: 6636)
- Joaime32.exe (PID: 6676)
- Japeiq32.exe (PID: 6696)
- Jkhiaf32.exe (PID: 6716)
- Jdqnjlof.exe (PID: 6756)
- Jnfena32.exe (PID: 6736)
- Jkjfgf32.exe (PID: 6776)
- Jepjdo32.exe (PID: 6796)
- Jljbah32.exe (PID: 6816)
- Jllogh32.exe (PID: 6876)
- Johomd32.exe (PID: 6836)
- Jebgjndf.exe (PID: 6856)
- Jnnlnqaa.exe (PID: 6896)
- Jhcpliag.exe (PID: 6916)
- Knphdp32.exe (PID: 6936)
- Kegqem32.exe (PID: 6956)
- Kkdimd32.exe (PID: 6976)
- Keimkm32.exe (PID: 7016)
- Kopencfa.exe (PID: 6996)
- Kapnpn32.exe (PID: 7056)
- Kkfecd32.exe (PID: 7036)
Executes application which crashes
- Klfbmg32.exe (PID: 7076)
INFO
Checks supported languages
- Fngdik32.exe (PID: 5752)
- 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe (PID: 1604)
- Fealeeon.exe (PID: 5824)
- Fgphaqnb.exe (PID: 2528)
- Fmlajgli.exe (PID: 4280)
- Flnahodh.exe (PID: 5996)
- Fecikeml.exe (PID: 2600)
- Fciflaac.exe (PID: 3528)
- Fajjpfbp.exe (PID: 4852)
- Flpnmobf.exe (PID: 5900)
- Gamfeepm.exe (PID: 3916)
- Gckbaapa.exe (PID: 4264)
- Ghikhofg.exe (PID: 3700)
- Gnqgoj32.exe (PID: 2540)
- Gekoldgc.exe (PID: 1492)
- Gaapqe32.exe (PID: 5012)
- Gjggdkek.exe (PID: 4072)
- Ghkhmodd.exe (PID: 2524)
- Glgdnnln.exe (PID: 1512)
- Geohgc32.exe (PID: 5092)
- Gmjmke32.exe (PID: 4024)
- Gliqcmjk.exe (PID: 1428)
- Gllmimhh.exe (PID: 2592)
- Gddehpgf.exe (PID: 3376)
- Gnjjeh32.exe (PID: 4480)
- Hahfad32.exe (PID: 6168)
- Hmoffeld.exe (PID: 6204)
- Hjqjjimp.exe (PID: 6184)
- Hefogbmf.exe (PID: 6224)
- Hmacld32.exe (PID: 6268)
- Hdkkhoan.exe (PID: 6292)
- Hjcgpikn.exe (PID: 6244)
- Hkedei32.exe (PID: 6312)
- Hmdpad32.exe (PID: 6332)
- Hoclkgoa.exe (PID: 6372)
- Hekhba32.exe (PID: 6352)
- Habigb32.exe (PID: 6392)
- Iofiag32.exe (PID: 6432)
- Hdpecn32.exe (PID: 6412)
- Iademb32.exe (PID: 6452)
- Ihnnjlco.exe (PID: 6472)
- Idenomic.exe (PID: 6512)
- Iohfff32.exe (PID: 6492)
- Illfpkjf.exe (PID: 6532)
- Ilncejhc.exe (PID: 6572)
- Iedkip32.exe (PID: 6552)
- Imppmb32.exe (PID: 6596)
- Imblbblo.exe (PID: 6636)
- Idihjm32.exe (PID: 6616)
- Ieiddpla.exe (PID: 6656)
- Joaime32.exe (PID: 6676)
- Japeiq32.exe (PID: 6696)
- Jkhiaf32.exe (PID: 6716)
- Jdqnjlof.exe (PID: 6756)
- Jnfena32.exe (PID: 6736)
- Jkjfgf32.exe (PID: 6776)
- Jepjdo32.exe (PID: 6796)
- Johomd32.exe (PID: 6836)
- Jljbah32.exe (PID: 6816)
- Jebgjndf.exe (PID: 6856)
- Jnnlnqaa.exe (PID: 6896)
- Jllogh32.exe (PID: 6876)
- Jhcpliag.exe (PID: 6916)
- Knphdp32.exe (PID: 6936)
- Kegqem32.exe (PID: 6956)
- Kkdimd32.exe (PID: 6976)
- Kopencfa.exe (PID: 6996)
- Keimkm32.exe (PID: 7016)
- Klfbmg32.exe (PID: 7076)
- Kkfecd32.exe (PID: 7036)
- Kapnpn32.exe (PID: 7056)
Creates files or folders in the user directory
- WerFault.exe (PID: 7160)
Reads the software policy settings
- WerFault.exe (PID: 7160)
Checks proxy server information
- WerFault.exe (PID: 7160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (49.4) |
|---|---|---|
| .scr | | | Windows screen saver (23.4) |
| .dll | | | Win32 Dynamic Link Library (generic) (11.7) |
| .exe | | | Win32 Executable (generic) (8) |
| .exe | | | Generic Win/DOS Executable (3.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1976:08:18 05:39:38+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 2.55 |
| CodeSize: | 53248 |
| InitializedDataSize: | 18944 |
| UninitializedDataSize: | 125440 |
| EntryPoint: | 0x33000 |
| OSVersion: | 1 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
192
Monitored processes
75
Malicious processes
69
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 708 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5244 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1604 | "C:\Users\admin\Desktop\3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe" | C:\Users\admin\Desktop\3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | powershell.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 5752 | C:\WINDOWS\system32\Fngdik32.exe | C:\Windows\SysWOW64\Fngdik32.exe | 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 5824 | C:\WINDOWS\system32\Fealeeon.exe | C:\Windows\SysWOW64\Fealeeon.exe | Fngdik32.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 2528 | C:\WINDOWS\system32\Fgphaqnb.exe | C:\Windows\SysWOW64\Fgphaqnb.exe | Fealeeon.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 4280 | C:\WINDOWS\system32\Fmlajgli.exe | C:\Windows\SysWOW64\Fmlajgli.exe | Fgphaqnb.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 2600 | C:\WINDOWS\system32\Fecikeml.exe | C:\Windows\SysWOW64\Fecikeml.exe | Fmlajgli.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 5996 | C:\WINDOWS\system32\Flnahodh.exe | C:\Windows\SysWOW64\Flnahodh.exe | Fecikeml.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 4852 | C:\WINDOWS\system32\Fajjpfbp.exe | C:\Windows\SysWOW64\Fajjpfbp.exe | Flnahodh.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
Total events
17 904
Read events
17 729
Write events
172
Delete events
3
Modification events
| (PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1604) 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Apartment | |||
| (PID) Process: | (1604) 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
| Operation: | write | Name: | Web Event Logger |
Value: {79FAA099-1BAE-816E-D711-115290CEE717} | |||
| (PID) Process: | (5752) Fngdik32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Apartment | |||
| (PID) Process: | (5752) Fngdik32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
| Operation: | write | Name: | Web Event Logger |
Value: {79FAA099-1BAE-816E-D711-115290CEE717} | |||
| (PID) Process: | (5824) Fealeeon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Apartment | |||
| (PID) Process: | (5824) Fealeeon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
| Operation: | write | Name: | Web Event Logger |
Value: {79FAA099-1BAE-816E-D711-115290CEE717} | |||
Executable files
140
Suspicious files
8
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 708 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | — | |
MD5:— | SHA256:— | |||
| 1604 | 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | C:\WINDOWS\SysWOW64\Bpneombf.dll | executable | |
MD5:E1DA5996CF59A607066BE28907D2AF8E | SHA256:A6E87F06997219A77A3CC79983AFD8FC67F57C4155E3C3D13846169A57D9E9E3 | |||
| 2528 | Fgphaqnb.exe | C:\WINDOWS\SysWOW64\Ekohkbhc.dll | executable | |
MD5:719DBFD16CB138422419F74FB8300DE1 | SHA256:7D512D9FFEF1CDAAF33DE13BFAFF224C9A0182B1DADA62D42CDFE5F916AD2251 | |||
| 708 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ydy321ab.wt5.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 708 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ywsxllbd.dpj.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5824 | Fealeeon.exe | C:\WINDOWS\SysWOW64\Nioohggo.dll | executable | |
MD5:470FFDB9CA997DC1E3EC5CE9EA69DB22 | SHA256:3A144A9BF325CDFE7D8C9206247E4606ADD1AC435E5194D1C10D5AAA88857974 | |||
| 2600 | Fecikeml.exe | C:\WINDOWS\SysWOW64\Flnahodh.exe | executable | |
MD5:0E26CDD05726E2BA5454B49B15E53671 | SHA256:2E7E405A82F07B19D9DE3FB20F4548B154872457621AAC22228293A7A5A159FF | |||
| 2600 | Fecikeml.exe | C:\WINDOWS\SysWOW64\Dofhjc32.dll | executable | |
MD5:958CD2E78269C31803DE344E55925C1B | SHA256:55FD935D397F29E3C23D06977036F8A71366C1B2366085A0882D748AA9EA77E2 | |||
| 708 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF114b5e.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
| 4280 | Fmlajgli.exe | C:\WINDOWS\SysWOW64\Dppfkj32.dll | executable | |
MD5:3280FDCCCF72A050197E46B65225703A | SHA256:015E5E92CED3C3BEA0503B348005A1CF2A6D1F9AC938CED6B3797B951051C720 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5140 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5548 | svchost.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5548 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5996 | RUXIMICS.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5996 | RUXIMICS.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
2908 | OfficeClickToRun.exe | POST | 200 | 52.168.112.67:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5548 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5996 | RUXIMICS.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5140 | MoUsoCoreWorker.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5548 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5996 | RUXIMICS.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5140 | MoUsoCoreWorker.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5548 | svchost.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5996 | RUXIMICS.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5140 | MoUsoCoreWorker.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5140 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |