08fb2fa5fb0ef7dda771ba1dbd4f3c3e63a5fccb616c099200a146632d24193e

Analysis

max time kernel
110s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63c398664990d386ac7effaf3625bed0N.exe
Size

45KB
MD5

63c398664990d386ac7effaf3625bed0
SHA1

96fd8d39864525335d225a9ab39d6f703c816526
SHA256

08fb2fa5fb0ef7dda771ba1dbd4f3c3e63a5fccb616c099200a146632d24193e
SHA512

99ff1da61f8810d50892204dd384824f024c739be3b286bafb189b8579bb2c48ab5f768966f8ef9ec4a950533fcc2bcba929ab0b9d7a12ef1987e257fa648386
SSDEEP

768:ED42XHw/tc682BrQVVoiIew3w2I0lFPVd+Izo+7PcrOWqKuRIx47mYXc/1H5C:Ecmw/tc682ROoiox1rVd+IjgOWqKuRFd

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olehbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	63c398664990d386ac7effaf3625bed0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omddmkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onfadc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oepianef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	63c398664990d386ac7effaf3625bed0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiiilm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omddmkhl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onfadc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiiilm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oepianef.exe

Executes dropped EXE 7 IoCs

pid	Process
2304	Olehbh32.exe
1572	Oclpdf32.exe
2700	Oiiilm32.exe
2832	Omddmkhl.exe
2732	Onfadc32.exe
1412	Oepianef.exe
2612	Ohnemidj.exe

Loads dropped DLL 18 IoCs

pid	Process
1732	63c398664990d386ac7effaf3625bed0N.exe
1732	63c398664990d386ac7effaf3625bed0N.exe
2304	Olehbh32.exe
2304	Olehbh32.exe
1572	Oclpdf32.exe
1572	Oclpdf32.exe
2700	Oiiilm32.exe
2700	Oiiilm32.exe
2832	Omddmkhl.exe
2832	Omddmkhl.exe
2732	Onfadc32.exe
2732	Onfadc32.exe
1412	Oepianef.exe
1412	Oepianef.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oclpdf32.exe	Olehbh32.exe
File created	C:\Windows\SysWOW64\Oiiilm32.exe	Oclpdf32.exe
File created	C:\Windows\SysWOW64\Qenpjecb.dll	Oclpdf32.exe
File opened for modification	C:\Windows\SysWOW64\Omddmkhl.exe	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Onfadc32.exe	Omddmkhl.exe
File opened for modification	C:\Windows\SysWOW64\Oepianef.exe	Onfadc32.exe
File created	C:\Windows\SysWOW64\Olehbh32.exe	63c398664990d386ac7effaf3625bed0N.exe
File opened for modification	C:\Windows\SysWOW64\Oclpdf32.exe	Olehbh32.exe
File opened for modification	C:\Windows\SysWOW64\Onfadc32.exe	Omddmkhl.exe
File created	C:\Windows\SysWOW64\Jgjgfacn.dll	Omddmkhl.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Oepianef.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Oepianef.exe
File created	C:\Windows\SysWOW64\Oepianef.exe	Onfadc32.exe
File created	C:\Windows\SysWOW64\Nafbcl32.dll	Onfadc32.exe
File opened for modification	C:\Windows\SysWOW64\Olehbh32.exe	63c398664990d386ac7effaf3625bed0N.exe
File created	C:\Windows\SysWOW64\Imfkindn.dll	63c398664990d386ac7effaf3625bed0N.exe
File created	C:\Windows\SysWOW64\Hpamlo32.dll	Olehbh32.exe
File opened for modification	C:\Windows\SysWOW64\Oiiilm32.exe	Oclpdf32.exe
File created	C:\Windows\SysWOW64\Omddmkhl.exe	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Gobhkhgi.dll	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Oepianef.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2680	2612	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olehbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclpdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiiilm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omddmkhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onfadc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oepianef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63c398664990d386ac7effaf3625bed0N.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	63c398664990d386ac7effaf3625bed0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpamlo32.dll"	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omddmkhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onfadc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	63c398664990d386ac7effaf3625bed0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	63c398664990d386ac7effaf3625bed0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onfadc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qenpjecb.dll"	Oclpdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobhkhgi.dll"	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oepianef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiiilm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omddmkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjgfacn.dll"	Omddmkhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	63c398664990d386ac7effaf3625bed0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	63c398664990d386ac7effaf3625bed0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfkindn.dll"	63c398664990d386ac7effaf3625bed0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafbcl32.dll"	Onfadc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oepianef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Oepianef.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2304	1732	63c398664990d386ac7effaf3625bed0N.exe	29
PID 1732 wrote to memory of 2304	1732	63c398664990d386ac7effaf3625bed0N.exe	29
PID 1732 wrote to memory of 2304	1732	63c398664990d386ac7effaf3625bed0N.exe	29
PID 1732 wrote to memory of 2304	1732	63c398664990d386ac7effaf3625bed0N.exe	29
PID 2304 wrote to memory of 1572	2304	Olehbh32.exe	30
PID 2304 wrote to memory of 1572	2304	Olehbh32.exe	30
PID 2304 wrote to memory of 1572	2304	Olehbh32.exe	30
PID 2304 wrote to memory of 1572	2304	Olehbh32.exe	30
PID 1572 wrote to memory of 2700	1572	Oclpdf32.exe	31
PID 1572 wrote to memory of 2700	1572	Oclpdf32.exe	31
PID 1572 wrote to memory of 2700	1572	Oclpdf32.exe	31
PID 1572 wrote to memory of 2700	1572	Oclpdf32.exe	31
PID 2700 wrote to memory of 2832	2700	Oiiilm32.exe	32
PID 2700 wrote to memory of 2832	2700	Oiiilm32.exe	32
PID 2700 wrote to memory of 2832	2700	Oiiilm32.exe	32
PID 2700 wrote to memory of 2832	2700	Oiiilm32.exe	32
PID 2832 wrote to memory of 2732	2832	Omddmkhl.exe	33
PID 2832 wrote to memory of 2732	2832	Omddmkhl.exe	33
PID 2832 wrote to memory of 2732	2832	Omddmkhl.exe	33
PID 2832 wrote to memory of 2732	2832	Omddmkhl.exe	33
PID 2732 wrote to memory of 1412	2732	Onfadc32.exe	34
PID 2732 wrote to memory of 1412	2732	Onfadc32.exe	34
PID 2732 wrote to memory of 1412	2732	Onfadc32.exe	34
PID 2732 wrote to memory of 1412	2732	Onfadc32.exe	34
PID 1412 wrote to memory of 2612	1412	Oepianef.exe	35
PID 1412 wrote to memory of 2612	1412	Oepianef.exe	35
PID 1412 wrote to memory of 2612	1412	Oepianef.exe	35
PID 1412 wrote to memory of 2612	1412	Oepianef.exe	35
PID 2612 wrote to memory of 2680	2612	Ohnemidj.exe	36
PID 2612 wrote to memory of 2680	2612	Ohnemidj.exe	36
PID 2612 wrote to memory of 2680	2612	Ohnemidj.exe	36
PID 2612 wrote to memory of 2680	2612	Ohnemidj.exe	36

C:\Users\Admin\AppData\Local\Temp\63c398664990d386ac7effaf3625bed0N.exe
"C:\Users\Admin\AppData\Local\Temp\63c398664990d386ac7effaf3625bed0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\Olehbh32.exe
  C:\Windows\system32\Olehbh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\Oclpdf32.exe
    C:\Windows\system32\Oclpdf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\Oiiilm32.exe
      C:\Windows\system32\Oiiilm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Omddmkhl.exe
        
        C:\Windows\system32\Omddmkhl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\SysWOW64\Onfadc32.exe
        
        C:\Windows\system32\Onfadc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Oepianef.exe
        
        C:\Windows\system32\Oepianef.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 140
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
45KB

MD5
f823d91d930ae2822b47b6c8300c0e3f

SHA1
f238e8081ee03f786f3fe40836270d5b1dbdf5a0

SHA256
6c01c02f66b12e5379b00f2bf70fafa7733f8ed4840d0c2c214be825c05008a3

SHA512
e0dd06e30456176fdef886be21b422746988bf6a5a9c1c91979f1e404c8e8f3d926af4a1e192f542d103b605cc5bcf6584902e73213a8698e0c6ab7aa60594a8

Download Submit
C:\Windows\SysWOW64\Oiiilm32.exe

Filesize
45KB

MD5
384b29ed4993ae222939b21a35085a59

SHA1
72f7afbe72692d3523fa2095027dce21cf0f6e73

SHA256
0f586608e7f8982c14538b220380172fe66b1c0b010b9c803dceca0953379d42

SHA512
e75e969a7561da0d2e5941be0de744541ef55612fddc825f51af6388215d72c2ff291b585044ed9b5fa8b14ca808f372b1eb41b2c046542c50878b251472e615

Download Submit
\Windows\SysWOW64\Oclpdf32.exe

Filesize
45KB

MD5
7a210b2fcb0793d0569c398376f994ac

SHA1
055ca335222eb0a103203f805e9ef0d5e7585c60

SHA256
d77cede015a38e3b1eb3890acc596dff3a394d4fad7fac37b185345095847659

SHA512
f6cd06daf081f75bdb7d05fec160ed459eb4514c5afadd47301aaaa426844440348355a8bc267c2272cb3ddae9aa17f5ad9688d32bf0c08b2272ddbb9752c776

Download Submit
\Windows\SysWOW64\Oepianef.exe

Filesize
45KB

MD5
60198b5f3d42f29df0681d513c97faab

SHA1
e516a7988e68256562f4145c468f6a9b1ecdcb0a

SHA256
53fadc7b58dac871983aa1545ce64f19cc96a8e6fe54dc4d119a769192ccc6a8

SHA512
d7b9cbdb29103026a1386cee82e7aa5ccb754dd6c12572828474f272ad1ed02864b74c6a5278335accc175c40ee684ed23e53f12770d4d6938fe856bdf40afab

Download Submit
\Windows\SysWOW64\Olehbh32.exe

Filesize
45KB

MD5
377f3bd8ddc0506fba119ddc17e395f9

SHA1
7b0ea97b512e3c6cf9e6c3aefd8e8d99caf78be0

SHA256
1d50cf221546196b3fd424569371a31688e2f8ec1d4b97ec56c60731d4e75b7b

SHA512
1b1ef2aaf3d47a1c3bfd0cf4f1ca1453dfcf73ad91f91bd7556ebd7e35bfe560ae6a04e3f0e4e9e9cad69cfa6d074e12724468340c6407c65793511be13ec12f

Download Submit
\Windows\SysWOW64\Omddmkhl.exe

Filesize
45KB

MD5
f10d09e3e43c46227f8ddea033579515

SHA1
8f1a52cfc89411db25e497725b44fcfb740ec811

SHA256
2a1badcb9b4367efee4330560ebfdf0ca929c907e8918ab5dbe6c97522ab7b42

SHA512
af2aa3e8f3fdc79b1cedc58fd1335f12a6f475a41afc9f01757b2cc2e3a7cb84adfc4ed9b74d5e2fc9040b2736e01c13f9d83bb4c93e045c77ffee6670a9cade

Download Submit
\Windows\SysWOW64\Onfadc32.exe

Filesize
45KB

MD5
2f92c791f47f9713ca4a23916d719a40

SHA1
b2217b243dfd35b8c19330e2f85bd1b7705f740d

SHA256
62c8b28074b32078be662688d40bee4b28979d2c88f779990a179e0531987637

SHA512
7c4eab1dd684a36651c8d4cf2773f4194b4622c7ea30f2ba83cb7694f2a3dfe58f77d2ce7f71caa3040f1a5d72fccdbb0ffa12a7e78a777c13946bee8a222e7a

Download Submit
memory/1412-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1412-92-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1412-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-42-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/1572-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-41-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/1732-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1732-13-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1732-102-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-22-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2304-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-43-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-60-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2700-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-83-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2732-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-106-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads