File name:

0038bdc3f6efd1ba604b565f4a164580N.exe

Full analysis: https://app.any.run/tasks/4e8171dd-8d80-4097-96eb-69c97f2ac4c6
Verdict: Malicious activity
Analysis date: July 11, 2024, 16:47:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

0038BDC3F6EFD1BA604B565F4A164580

SHA1:

6207607507409CA5A599436A5BDEACCE4FA698C3

SHA256:

4DDB24932630EDE8DBEFF7C03BC834F125458EDE54BDC18771867517E947CC75

SSDEEP:

98304:rJ7jtnQ7wnz9NNDJgq2X1azoTyL3BbLskPra2TtAsVSd7wfPcTgblHFo:SY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 0038bdc3f6efd1ba604b565f4a164580N.exe (PID: 2140)

    • Changes the autorun value in the registry

      • 0038bdc3f6efd1ba604b565f4a164580N.exe (PID: 2140)

  • SUSPICIOUS

    • Loads DLL from Mozilla Firefox

      • default-browser-agent.exe (PID: 3692)

    • Executable content was dropped or overwritten

      • 0038bdc3f6efd1ba604b565f4a164580N.exe (PID: 2140)

    • The process executes via Task Scheduler

      • default-browser-agent.exe (PID: 3692)

    • Starts itself from another location

      • 0038bdc3f6efd1ba604b565f4a164580N.exe (PID: 2140)

  • INFO

    • Checks supported languages

      • 0038bdc3f6efd1ba604b565f4a164580N.exe (PID: 2140)
      • devdobec.exe (PID: 2364)
      • default-browser-agent.exe (PID: 3692)

    • Reads the computer name

      • 0038bdc3f6efd1ba604b565f4a164580N.exe (PID: 2140)
      • devdobec.exe (PID: 2364)

    • Application launched itself

      • firefox.exe (PID: 3156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.1)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 3.22
CodeSize: 1530400
InitializedDataSize: 118596
UninitializedDataSize: 38228
EntryPoint: 0x2ec0
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.0.0.0
ProductVersionNumber: 6.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: System Devices Optimizer
InternalName: Devices Optimus
ProductName: Devices Optimus
ProductVersion: 6.0.0.0
Comments: -
CompanyName: -
FileVersion: 6.0.0.0
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 0038bdc3f6efd1ba604b565f4a164580n.exe devdobec.exe no specs default-browser-agent.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2140"C:\Users\admin\Desktop\0038bdc3f6efd1ba604b565f4a164580N.exe" C:\Users\admin\Desktop\0038bdc3f6efd1ba604b565f4a164580N.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
System Devices Optimizer
Version:
6.0.0.0
Modules
Images
c:\users\admin\desktop\0038bdc3f6efd1ba604b565f4a164580n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2364C:\AdobeOP\devdobec.exeC:\AdobeOP\devdobec.exe0038bdc3f6efd1ba604b565f4a164580N.exe
User:
admin
Integrity Level:
MEDIUM
Description:
System Devices Optimizer
Version:
6.0.0.0
Modules
Images
c:\adobeop\devdobec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3156"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exedefault-browser-agent.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
3692"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB"C:\Program Files\Mozilla Firefox\default-browser-agent.exesvchost.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\default-browser-agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
4524"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
1 943
Read events
1 934
Write events
9
Delete events
0

Modification events

(PID) Process:(2140) 0038bdc3f6efd1ba604b565f4a164580N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Parametr
Value:
C:\AdobeOP\devdobec.exe
(PID) Process:(2140) 0038bdc3f6efd1ba604b565f4a164580N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Parametr
Value:
C:\LabZQ4\dobxsys.exe
(PID) Process:(3156) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
69838DB501000000
(PID) Process:(4524) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
69338EB501000000
(PID) Process:(4524) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
0
(PID) Process:(4524) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
1
(PID) Process:(4524) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(4524) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Theme
Value:
1
(PID) Process:(4524) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
0
Executable files
2
Suspicious files
0
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
21400038bdc3f6efd1ba604b565f4a164580N.exeC:\Users\admin\272924909568_10.0_admin.initext
MD5:A09619DD25A0D256FF5F9DD65A4D401D
SHA256:03344A99A3496BE8A403148882F9BF386650B33154D64E167E39D8F98842D5E7
21400038bdc3f6efd1ba604b565f4a164580N.exeC:\LabZQ4\dobxsys.exeexecutable
MD5:F95AEC052482C661A7319AD4477F8194
SHA256:870AC54C400C96EFA531C394C7655FDACF21D8029EAAB3F2F46BB65CB81C4B1B
4524firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmpdbf
MD5:63B1BB87284EFE954E1C3AE390E7EE44
SHA256:B017EE25A7F5C09EB4BF359CA721D67E6E9D9F95F8CE6F741D47F33BDE6EF73A
21400038bdc3f6efd1ba604b565f4a164580N.exeC:\AdobeOP\devdobec.exeexecutable
MD5:1EE2510DA5A258C1EF0252BC797E1A37
SHA256:3A8EC4F153CE0BDC8692C2ACC72FFC442243BED19D8B1CAE85408EC57445F810
4524firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs.jstext
MD5:E49289276493776ABDE07A97C3629FA3
SHA256:84454A31392236A7F5CAE9C619F04E82931E0BB43AEBCE4FD946287A3683C03A
4524firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs-1.jstext
MD5:E49289276493776ABDE07A97C3629FA3
SHA256:84454A31392236A7F5CAE9C619F04E82931E0BB43AEBCE4FD946287A3683C03A
4524firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.bindbf
MD5:63B1BB87284EFE954E1C3AE390E7EE44
SHA256:B017EE25A7F5C09EB4BF359CA721D67E6E9D9F95F8CE6F741D47F33BDE6EF73A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
30
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4780
RUXIMICS.exe
GET
200
2.21.20.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4780
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
52.182.143.215:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2052
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
4780
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2340
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
92.123.104.50:443
www.bing.com
Akamai International B.V.
DE
unknown
2052
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4780
RUXIMICS.exe
2.21.20.137:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4780
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
www.bing.com
  • 92.123.104.50
  • 92.123.104.52
  • 92.123.104.30
  • 92.123.104.29
  • 92.123.104.31
  • 92.123.104.24
  • 92.123.104.21
  • 92.123.104.34
  • 92.123.104.32
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.21.20.137
  • 2.21.20.133
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 13.89.179.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0038bdc3f6efd1ba604b565f4a164580N.exe