Malware Analysis Report

2025-04-03 11:53

Sample ID 241109-2yw8hathlc
Target 67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec
SHA256 67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec

Threat Level: Shows suspicious behavior

The file 67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Drops startup file

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:59

Reported

2024-11-09 23:02

Platform

win7-20241023-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4X\\xbodloc.exe" C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQS\\bodasys.exe" C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\UserDot4X\xbodloc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\UserDot4X\xbodloc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
PID 2536 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
PID 2536 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
PID 2536 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
PID 2536 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe C:\UserDot4X\xbodloc.exe
PID 2536 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe C:\UserDot4X\xbodloc.exe
PID 2536 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe C:\UserDot4X\xbodloc.exe
PID 2536 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe C:\UserDot4X\xbodloc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe

"C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"

C:\UserDot4X\xbodloc.exe

C:\UserDot4X\xbodloc.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

MD5 5ad94913838093f343e4a60cd3a44215
SHA1 6b593ce23fa7c256a00472b753c4ee6004460b1b
SHA256 c6ee987b8bb384aef32dad51cce17783f17508504afdd0bf114d7014043534cf
SHA512 d2a68f930ccc437bdfe1a474358202de2e217f2b69ca8097e0cbd8ce5fa304f377ccb616d553fc64ba45b76cad16d64e16c62e94552595d6268beda80f049c57

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 7f47cf79d6d6d263d7ed1996d4dc3d8d
SHA1 e42621286c15bc29d6ccee4ed0bd2d41bb4d4920
SHA256 4bf02bd3f87bbf6d8012b70ecdb1bb97838ceca67bfe062578eac4f2078eba73
SHA512 5deeffe99ee8f4a4424cee5b5744cfa131041cf9161c907ac65794d4eebcfffa0183bdbe49f611d329011d211737e30045d5a28d1da2e669ec09c087db061fad

C:\UserDot4X\xbodloc.exe

MD5 5962dbd4f0a2394aa537cd723833a16e
SHA1 65e897893e83d9808b7138031d14bd7572b5fb4d
SHA256 ab5cf60687436f50a5a661660b398921bd549ae35abc8b958cb8dc5a2f939b62
SHA512 793ecce1d6cef355b4d4caf36a35a5e55733603679a408f643489df664ba3ca41551a1e84c80f1f9a928fc58178b3de5dccbb17f62c32978e49480de2b816afe

C:\VidQS\bodasys.exe

MD5 7cc2cb69601abbb85c545717680b8f5a
SHA1 1ebc78431f9757f3423eb4c67d1f1b3fc0016966
SHA256 0e5a0a0c85ac94b56fb856cfe4a6d82713ec08f3907188e7f2035f2e0d1b2e16
SHA512 3b1a5955eaf4c8e88811636265b1ddddb2684d7a16875317e121ce66d158b6927d2cf94bb09a1b7609f6d6275b2f9ba58ccca405d2621233b379952c69f9721d

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 1e76116b89e740b08ec6775c5c501898
SHA1 4eac4da947925b104771a02efe8851abb430dbc8
SHA256 ba132b31bcd147fdbc8c0f227137bfbd8d66a44ab005b027754b10b4214fbe01
SHA512 89fd3a8f72fafca12be755ef6e7f6a216e3e7f6da07aa7847a1a45c810aad75484c88a765e5832229c7bb1854cdeedc3a05787288ef7567cbf9b02f2681a8c3f

C:\VidQS\bodasys.exe

MD5 49bfe52d5788d1dc19f686eb108eff1d
SHA1 b950461ee53630cedde99f9acf357f7ec1636209
SHA256 782da301de17e1b8d28123c75ed40c06c190412a168010377414ca25ddceb681
SHA512 b759ae7692b715d1e1835e39a8d4bfca99169e5f6b59b4d9b0cf227326247600f37e67c4ac046d8a57120abe89e1197ca36d1234cb3d99ec42a37bd1a96084ba

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:59

Reported

2024-11-09 23:02

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1I\\bodaloc.exe" C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4T\\abodsys.exe" C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Intelproc4T\abodsys.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A
N/A N/A C:\Intelproc4T\abodsys.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe

"C:\Users\Admin\AppData\Local\Temp\67b1e96d7d7ce6991390d47a028849d173c63aad039578b3623697e96bbfbdec.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"

C:\Intelproc4T\abodsys.exe

C:\Intelproc4T\abodsys.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

MD5 f35cd532b4fa14fd280d81639800b8b9
SHA1 3c78e8c15a94fadd9119f463c8f0bad7ed6dc9c7
SHA256 6189e955943e72c79a84f34638863ee4f2b82042d39275aa4939bba2d1793056
SHA512 741b41a86df3d1b1a3859a6d5f5007473d2a2146be66a66705fe78c13c2914fa48dab7fa09f21774dfebb8e389a26af42c11a91b6405bc831e632ae2350ef2ab

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 ccefec56fb88e6985b3ef5149b55b0c9
SHA1 50ea94e2a35c6256b3f1c273496792e8c040282c
SHA256 b70b0963e10124cac4c06444c4438d450bb75b810a2283ec98f68c102239d0e2
SHA512 5a40f321d1cf7efb2036cca9a5064b9c61f48cd5ec9aeeea81434e1465f92641df19da8e7f0a2f02bd12a878cdc5229afe8610fee1e9a871e8f95a08d96d7ff5

C:\Intelproc4T\abodsys.exe

MD5 df31e766fc5c0af4850303c17d3dd0fa
SHA1 6170b443c31ef40a20f8390a2d0d05f31554f757
SHA256 5e05143bf2bcb5350cbfefeeb1ed345f3d57088ae97fab9660d530b01414a846
SHA512 a2b9669db515632ddb05e463e1f0bf822345e476eb2cf714d87901c2a82486922be7fec9787d15f903ffb408f18dd03c5e1732e599bfbe6b97f74e14ed886c6c

C:\KaVB1I\bodaloc.exe

MD5 5f2020df1941fa4dc31eb8e7c6f6b728
SHA1 e29542518683e8afed1825b8481ef626b2666d1b
SHA256 0cb91b2e10de628b5a45ad32332fcd3039bb4adcb120db7a3b4243a288e65cff
SHA512 94ca0a4246b61ce47213ea75b402aaefb4e07d422305598530ffdc4cc94e6f179d1dfa690e4b75e5f6fa5f82d6997f21a90d5ebdf795282686b8f6f4fc1e77b4

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 c9b4075249f315dcfecc57fa034a1b2d
SHA1 c37bb9d6a1a2a5b390a2a997bccccdc38151aef8
SHA256 2c7149fe9073a9d62455d4dec3e32808855dfc99a75f8cf6c980a89130bbcd6a
SHA512 8ed176ba43d4d370a98d3b6eedc7f64a37ea44d1a9b29e50eb2e9de7f2d0986ce06e7b5bd3d7f3f448eba695161e6dce72de17fb7c95f227dedd59899a4c469c

C:\KaVB1I\bodaloc.exe

MD5 8b5fdd3dcd7b29a143aff9aee5056d62
SHA1 9f52ca5deeeec92867fe6f38494db58a34042a0e
SHA256 8b0e8604aed7cf12760c60beb58f7791e92d29b0bf5a101ec82bed4c44fcbe76
SHA512 ea42e3840c35100c7410deeb86180e3df05b040d3f48ca5e25e7c9340df93072311e99723b11d3335d217d30d0f1475cd19d4da9d4def83b5527bbfa913f01f3