Malware Analysis Report

2025-03-14 22:29

Sample ID 240407-2zfxxahc63
Target 876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de
SHA256 876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de

Threat Level: Known bad

The file 876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Windows security bypass

Modifies Installed Components in the registry

Sets file execution options in registry

Executes dropped EXE

Loads dropped DLL

Windows security modification

Modifies WinLogon

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:00

Reported

2024-04-07 23:03

Platform

win7-20240220-en

Max time kernel

149s

Max time network

121s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858} C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\IsInstalled = "1" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\StubPath = "C:\\Windows\\system32\\avsesap.exe" C:\Windows\SysWOW64\obmearup.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\obloopid-ivor.exe" C:\Windows\SysWOW64\obmearup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\obmearup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\obmearup.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\obmearup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ifmimoax-eadooc.dll" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\obmearup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\obmearup.exe C:\Windows\SysWOW64\obmearup.exe N/A
File opened for modification C:\Windows\SysWOW64\obmearup.exe C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe N/A
File created C:\Windows\SysWOW64\obmearup.exe C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe N/A
File opened for modification C:\Windows\SysWOW64\obloopid-ivor.exe C:\Windows\SysWOW64\obmearup.exe N/A
File created C:\Windows\SysWOW64\avsesap.exe C:\Windows\SysWOW64\obmearup.exe N/A
File created C:\Windows\SysWOW64\ifmimoax-eadooc.dll C:\Windows\SysWOW64\obmearup.exe N/A
File created C:\Windows\SysWOW64\obloopid-ivor.exe C:\Windows\SysWOW64\obmearup.exe N/A
File opened for modification C:\Windows\SysWOW64\avsesap.exe C:\Windows\SysWOW64\obmearup.exe N/A
File opened for modification C:\Windows\SysWOW64\ifmimoax-eadooc.dll C:\Windows\SysWOW64\obmearup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\obmearup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe C:\Windows\SysWOW64\obmearup.exe
PID 2064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe C:\Windows\SysWOW64\obmearup.exe
PID 2064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe C:\Windows\SysWOW64\obmearup.exe
PID 2064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe C:\Windows\SysWOW64\obmearup.exe
PID 2828 wrote to memory of 436 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\system32\winlogon.exe
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 2916 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\SysWOW64\obmearup.exe
PID 2828 wrote to memory of 2916 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\SysWOW64\obmearup.exe
PID 2828 wrote to memory of 2916 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\SysWOW64\obmearup.exe
PID 2828 wrote to memory of 2916 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\SysWOW64\obmearup.exe
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 2828 wrote to memory of 1224 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe

"C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe"

C:\Windows\SysWOW64\obmearup.exe

"C:\Windows\system32\obmearup.exe"

C:\Windows\SysWOW64\obmearup.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 rkmkj.mp udp
US 8.8.8.8:53 rkmkj.mp udp

Files

\Windows\SysWOW64\obmearup.exe

MD5 daee6a2e7ca1dc686761b0d67259ff16
SHA1 5e03776c9ab43e04f70ea36ad026b11577d3cb6c
SHA256 876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de
SHA512 fa043461fc37988d19986da1e7a8d035126a4180fc90af11684001961760e170c6594c25924924715c35ce24b27935684627fd6e409f7f498e0e34f3afede122

memory/2064-9-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\ifmimoax-eadooc.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\obloopid-ivor.exe

MD5 963f8dc7927d466622894e4d0586eb11
SHA1 07a4bba0e844d068cfd6e1a5fa01ba32395855a8
SHA256 82b8b318127f34a6fc9bb50076d6b37d8dded39254f6ef7888f6030aa67f6393
SHA512 8c7b2e9fa6a4cb36f2f7e7fd8460821f037f08dc0db3d474a68428f12b065abfafa16e8b0916828793a65b9fd152b21382fe66786279c422fde5b859da39d942

C:\Windows\SysWOW64\avsesap.exe

MD5 fdc53a14df290f13d47e996ed3dfdd29
SHA1 cb2720a2fd1f03f3431531747ba7f0a011061bd0
SHA256 00c5b0e8114dea11edddbbb4d718a18df1f9990fe982877965576f2abe70e669
SHA512 5be9ec674c31d6f99df344ad5bb77caaeda3e346703c2d14b681a43a8253fadb55d371f7de5cdefe4201531ec70a2154093709e138b1967c8ff5d0a801ca35a4

memory/2828-55-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2916-56-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:00

Reported

2024-04-07 23:03

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

140s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4B5253-4f44-4c45-4A4B-52534F444c45} C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4B5253-4f44-4c45-4A4B-52534F444c45}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4B5253-4f44-4c45-4A4B-52534F444c45}\IsInstalled = "1" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4B5253-4f44-4c45-4A4B-52534F444c45}\StubPath = "C:\\Windows\\system32\\avsesap.exe" C:\Windows\SysWOW64\obmearup.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\obloopid-ivor.exe" C:\Windows\SysWOW64\obmearup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\obmearup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\obmearup.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\obmearup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ifmimoax-eadooc.dll" C:\Windows\SysWOW64\obmearup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\obmearup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\obmearup.exe C:\Windows\SysWOW64\obmearup.exe N/A
File opened for modification C:\Windows\SysWOW64\obmearup.exe C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe N/A
File created C:\Windows\SysWOW64\obmearup.exe C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe N/A
File opened for modification C:\Windows\SysWOW64\obloopid-ivor.exe C:\Windows\SysWOW64\obmearup.exe N/A
File created C:\Windows\SysWOW64\avsesap.exe C:\Windows\SysWOW64\obmearup.exe N/A
File opened for modification C:\Windows\SysWOW64\ifmimoax-eadooc.dll C:\Windows\SysWOW64\obmearup.exe N/A
File created C:\Windows\SysWOW64\obloopid-ivor.exe C:\Windows\SysWOW64\obmearup.exe N/A
File opened for modification C:\Windows\SysWOW64\avsesap.exe C:\Windows\SysWOW64\obmearup.exe N/A
File created C:\Windows\SysWOW64\ifmimoax-eadooc.dll C:\Windows\SysWOW64\obmearup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A
N/A N/A C:\Windows\SysWOW64\obmearup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\obmearup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe C:\Windows\SysWOW64\obmearup.exe
PID 4532 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe C:\Windows\SysWOW64\obmearup.exe
PID 4532 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe C:\Windows\SysWOW64\obmearup.exe
PID 4408 wrote to memory of 1480 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\SysWOW64\obmearup.exe
PID 4408 wrote to memory of 1480 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\SysWOW64\obmearup.exe
PID 4408 wrote to memory of 1480 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\SysWOW64\obmearup.exe
PID 4408 wrote to memory of 616 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\system32\winlogon.exe
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 3392 N/A C:\Windows\SysWOW64\obmearup.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe

"C:\Users\Admin\AppData\Local\Temp\876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de.exe"

C:\Windows\SysWOW64\obmearup.exe

"C:\Windows\system32\obmearup.exe"

C:\Windows\SysWOW64\obmearup.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 uwkzzeawwqy.ph udp
US 45.79.222.138:80 uwkzzeawwqy.ph tcp
US 8.8.8.8:53 utbidet-ugeas.biz udp
US 72.52.178.23:80 utbidet-ugeas.biz tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 138.222.79.45.in-addr.arpa udp
US 8.8.8.8:53 utbidet-ugeas.biz udp
US 72.52.178.23:80 utbidet-ugeas.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Windows\SysWOW64\obmearup.exe

MD5 daee6a2e7ca1dc686761b0d67259ff16
SHA1 5e03776c9ab43e04f70ea36ad026b11577d3cb6c
SHA256 876c173c737a3b1c008726ede01c122a2b7786495f428145cde3d1e4114950de
SHA512 fa043461fc37988d19986da1e7a8d035126a4180fc90af11684001961760e170c6594c25924924715c35ce24b27935684627fd6e409f7f498e0e34f3afede122

memory/4532-6-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\avsesap.exe

MD5 cff1147e12b2df48e41ebfc1b1425a59
SHA1 f43a6b67f1129994a57105f610365b2d67dee3fb
SHA256 60fd677245bb56f298afa9c8d3d57221d9f8b8135a60dc61d4460b431260d7ef
SHA512 39393d6562509c3637ee29466fb3b7ddf642f7102564be75ada4c575476cfea35ceb8b9e026fca61b720c821b1e9cacd0b7fa222a4a3c4467e327020400860b2

C:\Windows\SysWOW64\obloopid-ivor.exe

MD5 db102c38b6a6772fd57d650713e527a4
SHA1 6f4bdbc6a5aaab8e88de302b1b49d6dfe4b0912a
SHA256 00200cb46d53e1237ecdf105974dbe4ee696e896bc9a1240ee6bc35f98ddd282
SHA512 e437b1fd0d2dc3b126eeeec17f810f99a566f143cc04750fa0808731ef86cf5a970413f93206c16fc53bdc67206a26c659c0789dcd334e61d19dc5c59265f3c2

C:\Windows\SysWOW64\ifmimoax-eadooc.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4