Analysis Overview
SHA256
f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122
Threat Level: Known bad
The file f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Event Triggered Execution: Image File Execution Options Injection
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
Executes dropped EXE
Windows security modification
Modifies WinLogon
Indicator Removal: Clear Persistence
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 03:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 03:24
Reported
2024-11-04 03:27
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\IsInstalled = "1" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\StubPath = "C:\\Windows\\system32\\oucsukar.exe" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45} | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eagfusoar.exe" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oumboafoot-oxid.dll" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\oumboafoot-oxid.dll | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File created | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eagfusoar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File created | C:\Windows\SysWOW64\eagfusoar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oucsukar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File created | C:\Windows\SysWOW64\oucsukar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumboafoot-oxid.dll | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe
"C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe"
C:\Windows\SysWOW64\oumvidoat-nid.exe
"C:\Windows\system32\oumvidoat-nid.exe"
C:\Windows\SysWOW64\oumvidoat-nid.exe
ùù¿çç¤
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | siqys.st | udp |
| US | 8.8.8.8:53 | siqys.st | udp |
Files
\Windows\SysWOW64\oumvidoat-nid.exe
| MD5 | b2de2b7bb31d9cab09124a0b6ceda640 |
| SHA1 | ab62464ebab3e8ded51aa543ac81fd5953dcb2ae |
| SHA256 | f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122 |
| SHA512 | 13c155bad0da692ce1eef50ff569f4dca6153c5b1344d9fe7d0f6aa51fc97f89734fee569eb6d26f982a216ac503d9679c9bfa7863c373e5ee3234301f29367f |
memory/572-9-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\oucsukar.exe
| MD5 | ddd9b24948fdf40a6c60e45b90c6c47c |
| SHA1 | 84ca59e393b600ea3e19b1be3465492348b30a70 |
| SHA256 | 65e9cdbd9659da30126a09d0930f11032826ce66b1e97ea8fe3a327d55217b28 |
| SHA512 | 9a3d5da70dd56ed2786bd895b7a9740913c3b47056f0f13ff2d5b0bae888a40e2b6c8297d45d9d88878ca3b62ef2724eb643d1214796365aea7556f36c0cf504 |
C:\Windows\SysWOW64\oumboafoot-oxid.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
C:\Windows\SysWOW64\eagfusoar.exe
| MD5 | fc8eb462713bbe21cf3da2f75be252c3 |
| SHA1 | 8400d7079014214015d5ef95a440f0881524a6c1 |
| SHA256 | 1e9884abcec97162225627510fb6645676b1e138b70c05bf6469824e596613b5 |
| SHA512 | 516afb2e44faecc7eaa3f339f445eca67eb4b334021867180bd9037b73ab2ba59905023f78b9da4e65b17184788f366908705000c2517b2a59f4ad099188fb79 |
memory/2744-52-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2396-53-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 03:24
Reported
2024-11-04 03:27
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
109s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748} | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748}\IsInstalled = "1" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748}\StubPath = "C:\\Windows\\system32\\oucsukar.exe" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eagfusoar.exe" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oumboafoot-oxid.dll" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\oucsukar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File created | C:\Windows\SysWOW64\oucsukar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File created | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| File created | C:\Windows\SysWOW64\eagfusoar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumboafoot-oxid.dll | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File created | C:\Windows\SysWOW64\oumboafoot-oxid.dll | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eagfusoar.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3640 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
| PID 3640 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
| PID 3640 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
| PID 2684 wrote to memory of 4984 | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
| PID 2684 wrote to memory of 4984 | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
| PID 2684 wrote to memory of 4984 | N/A | C:\Windows\SysWOW64\oumvidoat-nid.exe | C:\Windows\SysWOW64\oumvidoat-nid.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe
"C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe"
C:\Windows\SysWOW64\oumvidoat-nid.exe
"C:\Windows\system32\oumvidoat-nid.exe"
C:\Windows\SysWOW64\oumvidoat-nid.exe
ùù¿çç¤
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gtpagepsyumcci.cg | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gtpagepsyumcci.cg | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Windows\SysWOW64\oumvidoat-nid.exe
| MD5 | b2de2b7bb31d9cab09124a0b6ceda640 |
| SHA1 | ab62464ebab3e8ded51aa543ac81fd5953dcb2ae |
| SHA256 | f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122 |
| SHA512 | 13c155bad0da692ce1eef50ff569f4dca6153c5b1344d9fe7d0f6aa51fc97f89734fee569eb6d26f982a216ac503d9679c9bfa7863c373e5ee3234301f29367f |
memory/3640-6-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\eagfusoar.exe
| MD5 | ab08d33f48637dfb1ba2c6fbe20b98ba |
| SHA1 | 2aa52f20131866d0e5db18b4cee13da72d9efd3e |
| SHA256 | 0fa059c6c6c8abd1868c82196876b17a4d770c60fdbd87588b8ed1e0b78a1877 |
| SHA512 | 88fa7057bef82c33b32395d5fd26136c195861e084f962910a11a59df26dae97cdafdc1e14f13489bd804fb4a2a6d1bc602fe21190b27a784dcc3f02eabb5a03 |
C:\Windows\SysWOW64\oumboafoot-oxid.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
C:\Windows\SysWOW64\oucsukar.exe
| MD5 | 14f90ae2a3c27fed5bcf3f4d14c02938 |
| SHA1 | 8d5ff2d25a4e8d3f581aa64932d074dfed7ef468 |
| SHA256 | 10e5e3ef657cd6604aee95a747f30fb61f9daa0c17b205c282f9a83f662ff1b0 |
| SHA512 | d5d59144a5c94b687f1a01f46800221ee868a3c2d92b6949fe10b3d256953c937386a7ef0f0f316f3cda8bc6b960f8fa3e8f98c6ddccc19401d690f75c18a2f0 |
memory/2684-43-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4984-44-0x0000000000400000-0x0000000000414000-memory.dmp