Analysis Overview
SHA256
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524
Threat Level: Known bad
The file bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Event Triggered Execution: Image File Execution Options Injection
Boot or Logon Autostart Execution: Active Setup
Windows security modification
Executes dropped EXE
Loads dropped DLL
Indicator Removal: Clear Persistence
Modifies WinLogon
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 02:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 02:12
Reported
2024-11-13 02:15
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
136s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53}\StubPath = "C:\\Windows\\system32\\oupbeder.exe" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53} | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53}\IsInstalled = "1" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ocseatoog.exe" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\akmisof.dll" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ocseatoog.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File created | C:\Windows\SysWOW64\ocseatoog.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File created | C:\Windows\SysWOW64\oupbeder.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\akmisof.dll | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File created | C:\Windows\SysWOW64\akmisof.dll | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ixbivoav.exe | C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe | N/A |
| File created | C:\Windows\SysWOW64\ixbivoav.exe | C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oupbeder.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ixbivoav.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe
"C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe"
C:\Windows\SysWOW64\ixbivoav.exe
"C:\Windows\system32\ixbivoav.exe"
C:\Windows\SysWOW64\ixbivoav.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | epuigscssaget.mp | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\ixbivoav.exe
| MD5 | 9457260cd5f9f87716f1dfbc496f53a9 |
| SHA1 | 48a9166aecd7e3d4a833cbddfab1b725b1c08fa7 |
| SHA256 | bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524 |
| SHA512 | bf464c469eb2da0910972aef8a72b9bbffaba2484183ac76d3d092ad1603f37588d6add805e27a8b6d954cc5cfc419cea2ba6e84785f48fc69fdf48cca5d8d62 |
memory/4980-5-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\ocseatoog.exe
| MD5 | 60a59c61b163f6eb02b7cd424426e0af |
| SHA1 | 0551876c7fdfc1dfc693d71c054eb988486b08bc |
| SHA256 | 59aa7d4ce7f5de0bfae311e258ccbf41de8f351438cb8b5fd096680bd7e6f2c5 |
| SHA512 | bd0d99fa5b0835fc7b8a703f7a8395f0123cb0d0a2fadbfbfeb7b866c91f3d22622e71ce51799e764538a6851e28e6db629c0ac13173062f89f22b3db6dc5246 |
C:\Windows\SysWOW64\akmisof.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
C:\Windows\SysWOW64\oupbeder.exe
| MD5 | f36162575bb42b2093f1fd7d587b13df |
| SHA1 | 1e1a5170ac2a7dc8d767d8c3fd13d67d568bc79c |
| SHA256 | 4316d51bee7e93545d1ec2c9711102031bc604412e4a3f7dbb657645ff7ea2e0 |
| SHA512 | 562d6a57df2d0c6779e54bcbb77b1002f8d82e8d53244f3d0ad8328d7d7c15abd3cd5a503a6cf49371d73e1d935123ebc8a19dfd4d4f3a5a9eb51274c3f1bf25 |
memory/2752-46-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4640-47-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 02:12
Reported
2024-11-13 02:15
Platform
win7-20240903-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43434A42-5654-4751-4343-4A4256544751} | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43434A42-5654-4751-4343-4A4256544751}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43434A42-5654-4751-4343-4A4256544751}\IsInstalled = "1" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43434A42-5654-4751-4343-4A4256544751}\StubPath = "C:\\Windows\\system32\\oupbeder.exe" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ocseatoog.exe" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\akmisof.dll" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\akmisof.dll | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ixbivoav.exe | C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe | N/A |
| File created | C:\Windows\SysWOW64\ixbivoav.exe | C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oupbeder.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\akmisof.dll | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ocseatoog.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File created | C:\Windows\SysWOW64\ocseatoog.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File created | C:\Windows\SysWOW64\oupbeder.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ixbivoav.exe | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\ixbivoav.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe
"C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe"
C:\Windows\SysWOW64\ixbivoav.exe
"C:\Windows\system32\ixbivoav.exe"
C:\Windows\SysWOW64\ixbivoav.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cqggwc.mp | udp |
Files
\Windows\SysWOW64\ixbivoav.exe
| MD5 | 9457260cd5f9f87716f1dfbc496f53a9 |
| SHA1 | 48a9166aecd7e3d4a833cbddfab1b725b1c08fa7 |
| SHA256 | bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524 |
| SHA512 | bf464c469eb2da0910972aef8a72b9bbffaba2484183ac76d3d092ad1603f37588d6add805e27a8b6d954cc5cfc419cea2ba6e84785f48fc69fdf48cca5d8d62 |
memory/2408-9-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\oupbeder.exe
| MD5 | b8075c687547a07d533ed0244b8246b7 |
| SHA1 | 98e9c651a061dcbd82e18e4b57ccd9aaba06962d |
| SHA256 | cdf29182bf8a5a4482730919d2987ce547551d75890d9b50ed6043aa2f34246b |
| SHA512 | bf8e715c675f494e2698cc570917e40fdd145eb6e43b800543b20e15afbb7dc6a578f5994bf691a55a1ee8e654f1acb6a921bd35ac50080fe88c0a15cebcbebe |
C:\Windows\SysWOW64\ocseatoog.exe
| MD5 | dea9e4f621bf62a14d2f3453e237fd75 |
| SHA1 | 9e9fef74f10bf15aec1765243c6a23480f9faed3 |
| SHA256 | edda7f6cecd88be7e50e9170fa5c3d4dcc52fac6d249c26440b8559f95d12684 |
| SHA512 | 61afb1104a6c2f31f96a0ee9b1cd5db307177595aa03aea3baa4f8fd6b11d3a2940fd4186df44b3f79d411aae83864a2d24881975135445ba2b420532db85fd3 |
C:\Windows\SysWOW64\akmisof.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
memory/1292-52-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2016-53-0x0000000000400000-0x0000000000414000-memory.dmp