Malware Analysis Report

2025-03-15 04:35

Sample ID 241027-1wnb5stcnf
Target 3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291
SHA256 3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291

Threat Level: Shows suspicious behavior

The file 3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:00

Reported

2024-10-27 22:02

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVS\\adobec.exe" C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYP\\optidevsys.exe" C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\FilesVS\adobec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\FilesVS\adobec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
PID 1224 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
PID 1224 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
PID 1224 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
PID 1224 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe C:\FilesVS\adobec.exe
PID 1224 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe C:\FilesVS\adobec.exe
PID 1224 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe C:\FilesVS\adobec.exe
PID 1224 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe C:\FilesVS\adobec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe

"C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"

C:\FilesVS\adobec.exe

C:\FilesVS\adobec.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

MD5 0059ff4b7a1426cc483ebee31d8cb361
SHA1 bbb08ed762c8db39f67a7cc877de4ac3d326bae4
SHA256 efee66f0475def6d0a92bf683467c5e3b44cebb774fc63ff9e593da03eb9e460
SHA512 b8bbb0f04d7156b248ac7f0ab9d5c16d601fa0c3a5b401cad195324ff9d303534c1a2949b8b01c4921189edb838e95c7b8aa6cc3e0ab23a308c048da7c0b86ba

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 20d769232717fabdda710b0b6c90eb2e
SHA1 fc4dae80868058d4ee8a7f4a1ae4e85c03567f7d
SHA256 c219694525d5b9d73a0c8cad3a94f24fe0b630c1c42dbe016c3ddfe0ecb7560b
SHA512 cd3c4f469f990ef58f04be93dad6ad239dd7ccd18c60899354107a6a2a4a1640a0071739c4d1c72eae566840253858f13a97780ac2570ba32170f9c132b15ea4

C:\FilesVS\adobec.exe

MD5 98c7159eeef3a02f0eb82bcd5d2e8713
SHA1 abed90a7055eae200612e2fc81d633e1fba4bba0
SHA256 a09c65bacf76269d3d9dbfdfec31b0ceb09b5e4fb145cd38fd2f5ee47f10f8e8
SHA512 3f08968b7002c3037341704b999b2fe6c10ff648c802cbbe2c343561791d6e29e3b6d0016a60ddc211086550af3957780a85686454511a8f951d428c86b695b9

C:\MintYP\optidevsys.exe

MD5 9e1c744b67bf0f2b1d1f7bf7bb3c2387
SHA1 c1fba4c38e48a1ee3370230c9b8904ad9d3bd5b9
SHA256 39dac141f087112c76d0a767cc42da44d82a4e342d06037cc1fb22274702f862
SHA512 23e607f9cffff08f32bc0e94c73181c99980eec03d472746f33ce9073619f1eefe20aa2df51b3d7ecaf91dca7bde2cf4d287ec433ebc0de7c272068a5bffe667

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 3f2780d1758ffae77265f12dcb6c2373
SHA1 9784c80beaa295b684bf2cac3cf7bcee8aa9b84a
SHA256 59949dd6906e8333ae26a27e70a17b3d7c34f699641d66b33a78a95f9d1254d1
SHA512 ddb15610ecf7d776003bbdf4ea63fd351fb20ef298bc389d20e2247ee0666e8ade7e9f1a9cbc235abea75f479376047e07f26f78c06a264140dbaecda77a2b60

C:\MintYP\optidevsys.exe

MD5 10c17e1e480e81e40da9d86ca83197a7
SHA1 6c31d0c1ed4354841077fc9699e84e314934690b
SHA256 b7e7c7a03b00563de84170c9bd266fe2c9e1a1c14f80fc2f1302a75d02b3b962
SHA512 ee88df0a716b85eeb94cd2c763f469b4221d1527a6d8731c112941cdbb1a79e18b41ea5dbc96c1b78370fb88dd586b6e640dca41f43a2a6e0f4dc1810c68d0c9

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 22:00

Reported

2024-10-27 22:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocGE\\abodsys.exe" C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNE\\dobasys.exe" C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\IntelprocGE\abodsys.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A
N/A N/A C:\IntelprocGE\abodsys.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe

"C:\Users\Admin\AppData\Local\Temp\3be18c1c785e685cf41c889455ffd4b200735fa8127077bc82fd49651ca54291.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"

C:\IntelprocGE\abodsys.exe

C:\IntelprocGE\abodsys.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

MD5 6d1b2a8896414bb57536286a735014a7
SHA1 e18581b60c3fed96c40c7e93222d8dbc0ba57769
SHA256 3e5a53b6a49e4387192fcf6e5eb44afb1db9e45a46caca18908493f971579e5f
SHA512 9459f68764a4129df751110aa1a57a55c739476ae64fc025db0026abd0369d1fc4ac1c03504ca82651e1df839ca2fbde63d2b724bbce272f10f7a81306ac0459

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 eac20f211960f1fffa5111dfb77f5f25
SHA1 f77586ea5677f1afa8c0dc84928d48127e624f41
SHA256 58c323050fb29fddd56b599fff4ade36f5420eb94ebe9227949f6d1010dd0bd6
SHA512 35a4f3f95a268a33af8e4b4cb4d5b5facc947296a3ccc4bc0f37dcf7226e70ba1b698f3835f4464f5d986d51879234c9976c237253d03f2d39b760ba5405a4cc

C:\IntelprocGE\abodsys.exe

MD5 5821568ff94147aa02d5a4ff586803bd
SHA1 4c4c0f7aeca6fa0e1d19ba91de56d5a6e6c7b61d
SHA256 6e7da111d11b21d2bb9a9433d79f3c67b9d14cbb3234ed7dee31be25d1b41b22
SHA512 36679696cfa1ef7647a8cb65e3ad49d0e086c79a9bb27abccd205ab07eab0c00bf135e51e0c9208ab842b783a3ca51eb5fbcc8a2cdc9db6ce01212fc4a619ff6

C:\IntelprocGE\abodsys.exe

MD5 0c012ba5d2a9356a4ce3e1d42cacf765
SHA1 99cf4a2ec0e12fed746c7feb1692c67e001ba85a
SHA256 22683b0a7c5fc867d8f4ac39b79ab69a7597e65c3ce496059e86180f14f1a621
SHA512 0d50fbf5b72792b8f7f4bdd94d4342886813b8f9bf2c005cfdaf61ffb6fa7e7f52e7ae29fb65048557746c75b5de7dd6934f037cc6b2adb363b37a2d2a6a4d74

C:\LabZNE\dobasys.exe

MD5 91cd5a43071637064ef419edbaf35a3e
SHA1 cee9020f0a3236085e5783cef9ed12243fd9ebb7
SHA256 cfdb6e899bce2d1511579d12f0991e9ba2e82c848421b6dbd3acbf4053d56ff1
SHA512 51e2922c9a5733fb33dfe9ebd5adcf906e56fd323164d6e16ef9744319d09b5f670f063bd61f26320da37711990c7648ba67b3a41650ab1015f44b382b5c42ca

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 28cc1663b8302576ce94becdc3e1f6ad
SHA1 87773e8c0b1067ee05a256c6a861519dd2ed4878
SHA256 b52b3c82be74c38a5479980374d1410f7d6f0a80bb6d6c5e9f8246a15b27af03
SHA512 a290dada6ef19e1c0756eb018b263164a176ee216b74b80d9fd86b06aeb075297c4956a364ea09f4def48ff5b7e8f344da68e2f22c4027586d39766b6ca958e8

C:\LabZNE\dobasys.exe

MD5 3e725823158a6cb975a0eaa085c55b92
SHA1 739c8cbf251b710319ea26ca9dfa49b9ed292b6c
SHA256 293ef4746c532bd499c3c0a64c733e493b08289bdfe535acf3429935b584ab6b
SHA512 a994bda1efad62cab0257e636debeb68f5e842bc04057c4413862e0a326b8404f5d23edf080faa4bfdca7a4ccf7f693c35295de73216a3c42b42a596229c6cb8