Analysis Overview
SHA256
f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122
Threat Level: Known bad
The file f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Event Triggered Execution: Image File Execution Options Injection
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
Windows security modification
Executes dropped EXE
Modifies WinLogon
Indicator Removal: Clear Persistence
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 03:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 03:29
Reported
2024-11-04 03:32
Platform
win7-20240903-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B484254-484a-4641-4B48-4254484A4641}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B484254-484a-4641-4B48-4254484A4641}\IsInstalled = "1" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B484254-484a-4641-4B48-4254484A4641}\StubPath = "C:\\Windows\\system32\\oucsukar.exe" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B484254-484a-4641-4B48-4254484A4641} | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eagfusoar.exe" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oumboafoot-oxid.dll" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\eagfusoar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumboafoot-oxid.dll | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File created | C:\Windows\SysWOW64\oumboafoot-oxid.dll | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| File created | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| File created | C:\Windows\SysWOW64\eagfusoar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oucsukar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File created | C:\Windows\SysWOW64\oucsukar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe
"C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe"
C:\Windows\SysWOW64\oumvidoat-nid.exe
"C:\Windows\system32\oumvidoat-nid.exe"
C:\Windows\SysWOW64\oumvidoat-nid.exe
ùù¿çç¤
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | aezuaqclnc.nu | udp |
| US | 8.8.8.8:53 | aezuaqclnc.nu | udp |
Files
\Windows\SysWOW64\oumvidoat-nid.exe
| MD5 | b2de2b7bb31d9cab09124a0b6ceda640 |
| SHA1 | ab62464ebab3e8ded51aa543ac81fd5953dcb2ae |
| SHA256 | f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122 |
| SHA512 | 13c155bad0da692ce1eef50ff569f4dca6153c5b1344d9fe7d0f6aa51fc97f89734fee569eb6d26f982a216ac503d9679c9bfa7863c373e5ee3234301f29367f |
memory/2680-9-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\oumboafoot-oxid.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
C:\Windows\SysWOW64\eagfusoar.exe
| MD5 | 1dc1ddec966300e973b7c0b5e8fe6fb1 |
| SHA1 | ce47c7d3153c1db9c555218583211f2c09e9a445 |
| SHA256 | 72cb1d6485b9d35c5599df7778b44af32ebd89318eb83cfb4a9f022ebb2cc559 |
| SHA512 | 7b96c97978d7521b99f550b56f0f048fea3859a5e7fc9d5a3b234415b5b499a108791ce71d0ca02419d29df7619f0356de0d6a9d0a18c45dca94ee33924c869d |
C:\Windows\SysWOW64\oucsukar.exe
| MD5 | c296641c044f2b121d608146a7664578 |
| SHA1 | 28d701554c0b08f260d5b8a624d0ff0eb19b15de |
| SHA256 | e264332d4d7665daa5e06187e52a5c7fbfeba92adcce14a45a24bac26260b6b4 |
| SHA512 | 4463ae09751d25679338f4d12b32f1b6cec71cbf81310dc789dc44c6ccbd484b7d79810e0ecd734f4d0ac9158d1b0568e330f7975a9b8ef6a7248655ec4f4981 |
memory/2460-52-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2804-53-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 03:29
Reported
2024-11-04 03:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53} | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53}\IsInstalled = "1" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53}\StubPath = "C:\\Windows\\system32\\oucsukar.exe" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eagfusoar.exe" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oumboafoot-oxid.dll" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\eagfusoar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File created | C:\Windows\SysWOW64\oucsukar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumboafoot-oxid.dll | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eagfusoar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File created | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oucsukar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File created | C:\Windows\SysWOW64\oumboafoot-oxid.dll | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4604 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
| PID 4604 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
| PID 4604 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
| PID 1788 wrote to memory of 1920 | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
| PID 1788 wrote to memory of 1920 | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
| PID 1788 wrote to memory of 1920 | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe
"C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe"
C:\Windows\SysWOW64\oumvidoat-nid.exe
"C:\Windows\system32\oumvidoat-nid.exe"
C:\Windows\SysWOW64\oumvidoat-nid.exe
ùù¿çç¤
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ysaieop.tk | udp |
| US | 8.8.8.8:53 | ysaieop.tk | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Windows\SysWOW64\oumvidoat-nid.exe
| MD5 | b2de2b7bb31d9cab09124a0b6ceda640 |
| SHA1 | ab62464ebab3e8ded51aa543ac81fd5953dcb2ae |
| SHA256 | f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122 |
| SHA512 | 13c155bad0da692ce1eef50ff569f4dca6153c5b1344d9fe7d0f6aa51fc97f89734fee569eb6d26f982a216ac503d9679c9bfa7863c373e5ee3234301f29367f |
memory/4604-5-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\eagfusoar.exe
| MD5 | 4e7820649bdd5282447a81f482898ac5 |
| SHA1 | 44481795f8184c33a4383e1efe4f262fb72eacf9 |
| SHA256 | 25b999959189759494f83675dcdb07abd00988a3627f60917b7d9336fe1847f6 |
| SHA512 | f0cb964f2044b0808a038c5771a3eede10a84077aef5a990e6091a208848c1344382ab7054ed6c27c29a8406f0245d301c98fefca509477eea997cad8e92fb1c |
C:\Windows\SysWOW64\oumboafoot-oxid.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
C:\Windows\SysWOW64\oucsukar.exe
| MD5 | 248942c4ab12664d9cb2942dbc6d51e8 |
| SHA1 | bf0fb45ceb0baca8264a1786bb6a841f73c916bd |
| SHA256 | d0659cbcfd840189393277c3de477c888a5037876dc0b0bd97561ee5d8ac067f |
| SHA512 | 1ab4b3cf297abd9d974b74f81362b08ccd0c5377752fd15e750eee5038d5147efd16ab36186ff8b42466391b260e58a1cbc779c21da15742b9ce5e948ce270ae |
memory/1788-46-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1920-47-0x0000000000400000-0x0000000000414000-memory.dmp