Malware Analysis Report

2024-12-01 01:49

Sample ID 241110-bt8smawfml
Target a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d
SHA256 a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d

Threat Level: Shows suspicious behavior

The file a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:27

Reported

2024-11-10 01:29

Platform

win7-20241023-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ8\\xoptiloc.exe" C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOC\\dobasys.exe" C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\AdobeQ8\xoptiloc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\AdobeQ8\xoptiloc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
PID 2416 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
PID 2416 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
PID 2416 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
PID 2416 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe C:\AdobeQ8\xoptiloc.exe
PID 2416 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe C:\AdobeQ8\xoptiloc.exe
PID 2416 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe C:\AdobeQ8\xoptiloc.exe
PID 2416 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe C:\AdobeQ8\xoptiloc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe

"C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"

C:\AdobeQ8\xoptiloc.exe

C:\AdobeQ8\xoptiloc.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

MD5 e747ea170ad569fd392b744500ea32ca
SHA1 c7ffb8dd673d744bf43b6aac4289b116aaf1d568
SHA256 26118b34099af12189b57b1c5a2ddeba09afdf4e57c4bb9cf2ef8f8b2aab1174
SHA512 a97b237ce0848e0f9f645921b570b8f30fbbd3748936d85da016e9b994084df8355839a01fdbafcf3aa7beb41ba1e878fa034f9fce19a3e42b0c09fa22c7b00f

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 1d7a833a7ee28c87bac19095457c9814
SHA1 aebdf99d64940101632878c99aede0d1819fc37f
SHA256 512952ed898033f167498c9da09188e5a11a03b6026f599a2e772a9d51dcd065
SHA512 714d52c087657df99035bde8f54cbed8f4e16aefa84d897207d18f50a07dfb89b48d3a27812103b1ce70915a9015b94efc09086a8b206158db570088a6d56a49

C:\AdobeQ8\xoptiloc.exe

MD5 091ce6baaf2d0916f9dfa1461237e421
SHA1 5902212ceeb2154045b0a0da553e70d84839836b
SHA256 62d82aa88273576dc8bc487628badc080e5707046f846d8d591f81d64b06476e
SHA512 ce78e389b4871826f4ffc3f9d7319e0544025e916a576000b55e8cc09db59464fd1819ff9a6b3243546dfabdc5b47e99c70c6c95d09481db9e6d6a2621320e05

C:\MintOC\dobasys.exe

MD5 141ec5cbad77a389d1535761127df668
SHA1 644ef496f1484f798ed524126d578498a18873b6
SHA256 760495e8cab0f426af2b8ae5d2bc2392c5a27600c695f7eb2e21aa4745942ba6
SHA512 5fc86382d1d6ce03ce7cf56252de181b3094fa703cc4009015756bb6b4b080437e88950cb92eb1738666453c16a8c67a83c0e096e120aaa6f4992fd6a0d28ddd

\AdobeQ8\xoptiloc.exe

MD5 181ebcd52ddd5c1ba2308e8d557b217c
SHA1 e1aaa30ae73990eef866650c6db3122b4cee68ca
SHA256 e36439c01bccf73ba39685fc2f1742cacf6abbccb01cdc2cca9d75df2d48c3a7
SHA512 f7d3c6e2a772ddb342ed88f40a522e449216c32b6b516af1dcd349412a5f226cd1ad4e2906136fdadd247b683acd9f4c1cbd06c74eb008ad457d0d56623e3f3e

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 c7c7b75a00f6f13e99991930e5853f34
SHA1 c32f57f4e0beef73460e292039afcf9479258706
SHA256 dfd0670b78feb695a94bfa1d1be6efc3dcc2d06f54704349706113c075a2b0ff
SHA512 d2bc7e11f6e275da0b8d110ab2c063e96749c9270c52d84502e1402b687ceef3570c0786df6d0387f0bda3199f928c8e09ce7a2ad5c2bf2fc27d5b5cfa7f46ba

C:\MintOC\dobasys.exe

MD5 d841abf49829d9e87592cbd49b379999
SHA1 e2ee943a9b905fe75f9d4e1d284d749080897658
SHA256 8839db96a1695c254ccf301e11660f3a73a158f590164ef4e19cd390fce0092d
SHA512 81983248c8a03b8cd50456235933cc5bd4c5d39fbf3e5c16a3e3fe6f098fcc894823e352ac3f8cfcd6db5bf1ed2b851de4ac0744a503b5cb6e498910d72669ca

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:27

Reported

2024-11-10 01:29

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8P\\dobdevec.exe" C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4P\\adobloc.exe" C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\SysDrv4P\adobloc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A
N/A N/A C:\SysDrv4P\adobloc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe

"C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"

C:\SysDrv4P\adobloc.exe

C:\SysDrv4P\adobloc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

MD5 483acdf5e0704b3eca502769b0f55d0f
SHA1 e061f9506397f8634dd70610b74f3c4670bea4f2
SHA256 a4dfdde7f57b24b983e47fc2beb7012bdcf0834992620e6bfdecbc9dd06ea68b
SHA512 7de92cf8e4865ce7b28c44d933a4c50a2d58b0ed1a02dc0c3b590ca493cd3171c619b5aa37536d721807537262882c8794ab31a1cb0f73b4ea7c8b0a94c3c19a

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 4d76f01366edb09f9a69b63d072fdd13
SHA1 554eae849a6cad1d77f40e8da64e68e622a05dbd
SHA256 7cd2876037be32ce75e21b797d30223be5de9440a78b164e1fff368fe199af91
SHA512 dabd9a399097bb072f0df0e4242cde014e297d628cb767e1fda6e97a883e955aa3c55f9e6d115117ee2917f240da4dd50b872e87098d5f7da32a07f62e484828

C:\SysDrv4P\adobloc.exe

MD5 ac7b09f21c3b2531c0461f4f2a34c06e
SHA1 82274e126ed83ce4bd8bff7d50e82ea8582ec969
SHA256 e761503227d95567e181589bbd46f25e781e5f72247e5ff2dbb530f9d9caf7d9
SHA512 321a012aea18fcb1b5e7903c886b65689ad96c5dda109e0a5679ff9bf157865382c331d9f487890356c5d1514c241e8f9b270a6fdb8c3055e4dd3c0366c5cf23

C:\LabZ8P\dobdevec.exe

MD5 8bf869f3213a0bbde69afe3eb39b77fc
SHA1 c1434a2edf85de0d2e7985b349946b598c03e3a8
SHA256 35714eb730f144be9ac5e55b0b7686f9ff5b532f022b67ff2ebdfcda13830f10
SHA512 149cd757b88a204fe347577a969a4590336f80205605150c5ef59ac1ea63b3e098753cee41479ed276a2fd191caa65283157ddcb2fdf6d58b01b2671fa065527

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 92480703f4fdf9d47c155002d33a49e6
SHA1 87a1a71962fb943707531a56ae9c2453780e1236
SHA256 9208000e2a85ea13bf85f58ccd8417b3b7bb91e797cfc11c2946dc95f044bccc
SHA512 ae7df25526743011ca9887280eee1085719ea733dae253ce83b28e8a09cc13e4d63c9d3301c8a968f2b3246d988602154e3587cd27a82744557bb0820d927783

C:\LabZ8P\dobdevec.exe

MD5 c95f812959f00b51d3e524078b0f5274
SHA1 a497cfdda89ec7adc1916c623ef51778b15f20be
SHA256 b801c1fe10a0289dfe6ac84c5bdcd979974333e2f658a0a5bad204e56608cb65
SHA512 2be033e5c36bbea0181068d31f5b959f4d256760d60424d809908c4f0c866f81b435e596ed5283f76f1e369b7a09602767701c19d0954eb86bfe563bd782006c