Malware Analysis Report

2024-11-30 07:53

Sample ID 240603-ghf65adf71
Target fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777
SHA256 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777

Threat Level: Shows suspicious behavior

The file fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:50

Platform

win7-20240508-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEG\\xdobloc.exe" C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZH4\\boddevloc.exe" C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\UserDotEG\xdobloc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
PID 1904 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
PID 1904 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
PID 1904 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
PID 1904 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe C:\UserDotEG\xdobloc.exe
PID 1904 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe C:\UserDotEG\xdobloc.exe
PID 1904 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe C:\UserDotEG\xdobloc.exe
PID 1904 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe C:\UserDotEG\xdobloc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe

"C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"

C:\UserDotEG\xdobloc.exe

C:\UserDotEG\xdobloc.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

MD5 b7ce3d96ed2eae43fbff12fabfddea61
SHA1 cca20e563680278312288e4837b1f133befe6855
SHA256 349aabb46d08255ef1edbb49ac73c4b4aea179407619b8ded91baf90cf26b259
SHA512 be4252467038d0febb383b924cc367d103b4e420cadecdc60a065833a7133ba64a4b6482946811d980b7b62d73168caa77b58c31364bac359b662942acc49ee9

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 ee129eb44fb023bd52fccd204aed6852
SHA1 d7ceca78b36bcd23012401c7837e8d33f2b15652
SHA256 7894460e593d9cd5521ce1f3740e395553e73b038296cd288210b363dd6e95a8
SHA512 800f4f0c5b26df12d2d90e2768161bfe501b074405ad3a124e1337d80d54b30d2610e1a6ff1202e8da53d465ad19d573557039e3ca9d352d519269c5277d8f4e

C:\UserDotEG\xdobloc.exe

MD5 f1eba410de9ae20a71164337c3f0ed62
SHA1 f5bb3c4624d89ad2de6f8314abdbf6debb1efd2e
SHA256 8fb2731c4591287a0c8deafcf0f49ea4a457c0d4e668809d39638fe9d8e8ce49
SHA512 a4bce017e4be40ae7ffdb69f2d31e8549dd0ea866c5c0a225179d190863659ac3d021576c35bea38141ecaf728685f9bd55c19b0aebddfea776d65f3284d2368

C:\LabZH4\boddevloc.exe

MD5 1c5ca0f427c0991d13699ebfbcccf79e
SHA1 579ffcb5804e4df36968c4ad790cb570348d5c13
SHA256 0fc34c0bbd0dad0e41a7581ff3d36d42bba51af91244158c9310ceccdb1ed980
SHA512 c5bae5f1b5affcac55927e9601c7a9f38a72992217f7b603e68e877704e065b1b9252e48dc2365a859f8d8b41f7a9fa181bb969bfc42acd0cf7f8d3f0418c908

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 8c3ab458e6ac60419fb362853981a58a
SHA1 3f51913ce0be3080cbc323384e077ff2dfb0b3d7
SHA256 03c251a9b8f9751059d5a9e5e66981e34692340907e542bc8d3328e416ea48b7
SHA512 91de8b2ebaa8aab0c39ba812699d2f3b6327cff360b01c3562b57a83dc8cd77687e637ccc604145446370028bab7188f38479f92ea2567103d5bb8808bff88d8

C:\LabZH4\boddevloc.exe

MD5 4c026ae806777f73d5b2448b1ece46fe
SHA1 8fcf647fcefd602bd4c8a742d51fa94febf2a66e
SHA256 219aaf32ddb938ab0eb922d3cf1cf5ce054dd928b3f34633000f039645e6f746
SHA512 e0312b459b91d9ecf9a3d94f66547367b6bbaa65237f053b8639035c0ba2d6fedb17cef6480ae65c3240a6d2d5c87a7512d57f95f1f40eb0ed6b0b379552dc15

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:50

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPI\\aoptiec.exe" C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintI0\\boddevec.exe" C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A
N/A N/A C:\FilesPI\aoptiec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe

"C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"

C:\FilesPI\aoptiec.exe

C:\FilesPI\aoptiec.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4488,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

MD5 87df644322b03d52199403f3378a7221
SHA1 e0304e38bc69366ccb7fa3f320ddf00d93d7482f
SHA256 448c4bdf8003fbe16ce2a19e3b9020fcfa03a21e9323821c4f8b0b2b28b7f5fb
SHA512 dfaa957a8bc41f4338a0fad8cf8ba2c10903d420665203a328d455739c5db516348579f522f3994271ad1c15f74cbcea75f96899ee7871321404d8ba054b7b3d

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 828ff3a257150c01c74e66ffbb5ec01a
SHA1 6e46ccf9f6ebe0e70d6bba879abc63a2cd9f634d
SHA256 59fe1de57c3299b27a5e6ab2a42d01d39b86eb100b0ac85285dddb783504092d
SHA512 a5b911d21e99bcc58ce313e08ffe1ce2f93b513952c1c543f50cb45a092311d470c82f7e44bae29e9fa48c263a02753bb5f831ce309b52f5d8bfa3265f711f19

C:\FilesPI\aoptiec.exe

MD5 3181321c898ae392fe45d77292abea9f
SHA1 fedc81dec184428048743b8e42d1fc58c80f25cf
SHA256 a962e080e40dcf77a7d91909033cf87b258a1056656d1e063b7c5f1ec6100fa7
SHA512 7e18a696b830267c7d66dc54296b54a10459873b26520bfc2e554c28624211f38a0f7a7aea5fcb2e1e4a2a294927219be3de89e9758b18f90b47e73d1cf0918d

C:\MintI0\boddevec.exe

MD5 6d6dae27d15e8853734b5130f5ab971e
SHA1 98f741ee5df81df402ec4b4311c99036055b7273
SHA256 8c7590bae21ad04249ba675f8e983c90f1362cb914bf2a0921349cc4cba8be17
SHA512 759e92b6bb6ff7b3f7e1cb4bdabbaedb7eb539fe710f4d624f1945a5f68030fcff9e4aad06d3b750afdaf57127584fade1d5b7d98f9f74a2a92bb66cc49ddc65

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 543aad135b13b563616ce4c23248d453
SHA1 5ce20d983773ea3619f3f14bdac82a3e2672fd8b
SHA256 cdcac49fa15a16cd7a600d2f3d0d08eac50599f8c85a98c5067c97c3c978f77b
SHA512 1ca46fa83001816282d7d3b64452099d31f9532651ebb6560a26faa12194df6423d37a3d316b987b026fff94c091a570b44befe2bcc5d0bcd110f3d8faf8074d

C:\MintI0\boddevec.exe

MD5 ac21cd7ab07d98ec93759fdef42a4062
SHA1 650579bea9f359d5bda0fb340b05543b9a5df5b8
SHA256 e708318130c710978044ae5437a26ff87dfe7ad3b6e419216bf19487415faae9
SHA512 88a38b8046494f779096dae6051454e79d26c98074181fd68575fd36ecc275e5bac2c7971ef9a5069e44401ebfd15f3eccf5dd3f3149b0e94732cc78c567cdfa