Malware Analysis Report

2024-11-30 07:55

Sample ID 240603-f9n6dadc71
Target f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680
SHA256 f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680

Threat Level: Shows suspicious behavior

The file f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:34

Reported

2024-06-03 05:37

Platform

win7-20240419-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0L\\xoptisys.exe" C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEJ\\optixec.exe" C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDot0L\xoptisys.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
PID 2288 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
PID 2288 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
PID 2288 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
PID 2288 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe C:\UserDot0L\xoptisys.exe
PID 2288 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe C:\UserDot0L\xoptisys.exe
PID 2288 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe C:\UserDot0L\xoptisys.exe
PID 2288 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe C:\UserDot0L\xoptisys.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe

"C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"

C:\UserDot0L\xoptisys.exe

C:\UserDot0L\xoptisys.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

MD5 b3657bc7ee4cea6ae79dac4fd56ce38d
SHA1 8415ac237454f5273c9e9d4a3ab91b95c37e17f3
SHA256 9fa4bc36f28d9eb185938fe775e75d7258b8ffa8d95985beea338b1936dd472e
SHA512 7704607788d9a47b9f7d4f037461a10c1b9c232f50cb5bc3fa715cd5638f0a5e567e4575c99dd5d084e78bff50f2787aa51931e140df212acf1690d153c9fe23

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 3880210d0a9a23b45e57d99801dd2fc0
SHA1 c83602f0bfe2882d617918129294510f3fc32cfb
SHA256 01b95bec783b0edd900008ee5853b88d1212aa583a322ff2432d505a11ca304e
SHA512 c5e1f3f93b78090f4067da19b1fb75a0cb373b62cb0d78bd2a09002ca62bdeca33719859cee351de3b8013be7d697cd30ef07399d41a1c6a398672460adb9e22

C:\UserDot0L\xoptisys.exe

MD5 44b433a678f0d853e7e4a38a0be04d31
SHA1 8e911b33f8477d6230308b864264fa87c875a2a4
SHA256 350dc3c5d210bb22d013d0104c7a327d5f76c1188644d61e06bd79b55d81f2dd
SHA512 b66137809c3e2eb95045b5d0f2f60c257aba5844e83c464bb5e580077c3886669f99090ce9a88a55b40b5a49c0aeef52cad8bc15492941f6b672c03fa5bf0262

C:\GalaxEJ\optixec.exe

MD5 f6afd58e964bd184b98e7b4b7b0d7bb7
SHA1 e76a55acfa21b3bf7cd8c5c9a8fb7163a10db4e9
SHA256 50a43fcaaba5716ea13e9b58b0d125e54ee307663a83f96a9747dab2ec15770e
SHA512 6d79597d2ce1d13afbd0d953f476084c1b0db9c863c5654ec9aaf4a9d2c12965addbe718669de867b9b2ebf2249e2619a92be73b72491d15d2e98b81929d5977

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 b44b6c0dca4e319e51674fc8b289e274
SHA1 c8aab03f5acbb106f3a5fa3ae9b3b0a922479b05
SHA256 4ee077e28488464dd3927b0c91cb1e8b0da3bc657b444b5342e939c8dd835c46
SHA512 5e3f0d12cf186ffe097145efc8263220affcb424c56428a7cdf056a45d9a28f5a053d26f9d287c6e8474db38e548fbe52f362cabe29e29957ac46779b33493e2

C:\GalaxEJ\optixec.exe

MD5 8f10995e7ba79fb561a1a501b0ea8826
SHA1 a7e3ba05800ccb38488de1d43736080a11f46c95
SHA256 80290ef0158e2b4592cd26a62ffb9719486a26690decb51ea60accda24934f86
SHA512 a3948d58ee3a40cc19141eadc162c64f4b9b48b02a12364f2d4488af88de5695f03e1c51b4391b20396c6c7e03424b3e8d0dc21424a1a2b8d60a2243d8f8d75d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:34

Reported

2024-06-03 05:37

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLQ\\devdobec.exe" C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax3P\\boddevsys.exe" C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\AdobeLQ\devdobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe

"C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"

C:\AdobeLQ\devdobec.exe

C:\AdobeLQ\devdobec.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

MD5 f35808f8909b7f28ffb345472e55354c
SHA1 286a07a3686ab42d84bdd48dff1ace6a837839f9
SHA256 c3eb5f1327f911f92b020c8abe439d41ff93f55150adcec09696d7fb7a95de3c
SHA512 822311352fc279dc9662147924f4b6f936fd2e0d1540d3990812912f668398dc981f942f137125d174117961005be5bc98d9fd7bc52b948144ccfe2a68e3fd5c

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 52a1ea14eb78bea5bbde55e2da97abe9
SHA1 29587eba683fea4383a459ed1dc90259707f776a
SHA256 9fa8ada38902945f312aafbd7550fbc27fcf09fa5b2ceeee38f432b36684e2f9
SHA512 c82be58ceb1abede5678f4734305a46ad22c05d25fe98781e1332afef671cdefd6bace3de8d77f73e6d0050908765daa843efb9d822c71b1b723a22175e1f733

C:\AdobeLQ\devdobec.exe

MD5 154968e9ef005118202aea2b1d05fcf9
SHA1 52b21a6910b967ef36b2723534904820b5f7a906
SHA256 f7bb8d36a9ed17856280a0427107018860c93cef430deb49e4eb57918830997c
SHA512 5adbca246c05550bb2486952832eac7e9d0a38492bea77c3d5bf084bd853ed602bcf4caca61b32d412f58b1383a779ee1c07c28802fdc23f5db70cf4399bc8fc

C:\AdobeLQ\devdobec.exe

MD5 73eda3a1f5fc4555107256038f979c04
SHA1 8d8651f11195467817a59124a2e9a93fe2b56051
SHA256 7db57fef2b3fcd4e99a5668f2352842880951523344467bfa94f52a609567607
SHA512 8c4f7b0e4375765d9cd500fcbf8141d664ea84c271f2e2f6373c809968eca00056d2502ed9f6a2ce32aeec1c9009eeb8d25dfcdbae1711d65efa2b67c6d96d51

C:\Galax3P\boddevsys.exe

MD5 2359be6e30cf56ace6e358faf1958993
SHA1 faf96a0ef12960f8d54c7be81734f91ede2d592b
SHA256 c204e04062455b19d8a601a70ea7c883cf15c7c4d7bc0b2f614a57367221c2d9
SHA512 10f296837961438d78a8722be08a18bf8e0b1cca06330f1fe77d1d5b99c360d302a39db0d9890c81ea277695b7b711810903c32f4d7bcbdcd6afcebc0fa34502

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 742e89c8bc8d837b56bdac9a17316dc7
SHA1 3be0f683a5a829c8afb619de37dc02f57f2f1a3b
SHA256 cc5b61473a514a5845a88d41fa190200f77b468605ae1fd71bbd4cd37266f1fe
SHA512 d33315bcc2cefffa054124f02796f1edbed1c82df0ce43db5f8d20d9f21acb2e41c0babb23caec640e6bdcc2423a8a5f48983cb96f406f3b998ead549400615e

C:\Galax3P\boddevsys.exe

MD5 1277107cabcc016a5fd1f1042e36a2e3
SHA1 d7f8e8f7a16218d6bb1dce7bd03617500801eb78
SHA256 8e909b1d2c6f2b50ac77632d0c29bee78baafb5a1b3d23226e037507fc026273
SHA512 f129adcdeabd08d93ae5036fe57020e5d0eab6c1565a555dce876fa729326075b333ac31bc8a7973c21d03d17b08334e1acad9033a1e66962d79780e301afbf3