Malware Analysis Report

2025-08-06 01:43

Sample ID 241108-2wrv1a1lbt
Target 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN
SHA256 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0a
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0a

Threat Level: Shows suspicious behavior

The file 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Drops startup file

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 22:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 22:56

Reported

2024-11-08 22:58

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPJ\\aoptiloc.exe" C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVO\\optidevec.exe" C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\IntelprocPJ\aoptiloc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\IntelprocPJ\aoptiloc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
PID 2548 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
PID 2548 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
PID 2548 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
PID 2548 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe C:\IntelprocPJ\aoptiloc.exe
PID 2548 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe C:\IntelprocPJ\aoptiloc.exe
PID 2548 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe C:\IntelprocPJ\aoptiloc.exe
PID 2548 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe C:\IntelprocPJ\aoptiloc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe

"C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"

C:\IntelprocPJ\aoptiloc.exe

C:\IntelprocPJ\aoptiloc.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

MD5 7d3a2be3e79342359eee08f91e3ff343
SHA1 1f9cc926d59351d1e9bcb618e2e08860167abc76
SHA256 f37cc54d6e4d8994cdef37954626c7d09712b98c6ca2bca73384a27fcccb9c89
SHA512 4c66240460bf9f0d93a00dc68ce83bb012ffd65ce9102f7694d38dcb7f5a62c0f3cf2e8976cdd7200106e9334c22c546526a3fa4bdce5b9c76da7b20af4bb788

C:\IntelprocPJ\aoptiloc.exe

MD5 801beee79e3724b97b2abb5d6dea1a7c
SHA1 c6e5946b6d43578793637a6dc672bb3ab7b75663
SHA256 cc0c637ee6fb39b58c55d6b5f902404de554716da89692abae4753740f03c3be
SHA512 68e94ed3902d4b67e0155aa63c1ae98fa43f5beaeaaee15c264df11920655431bee63fbbb944d508066ddf4adea841b56ffe48b126d7cb9db2e003951e0a8266

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 562e6815f8f52c39e8a05c4651bd7117
SHA1 d0c35e9cf5aaf60b539fcb4f6430f12e13bd52db
SHA256 ef4d728e571cc96f7e58a2ae6dcc918d7d79d2a40fbdd7e2d57a283a640ce075
SHA512 5a22b9fa0754e83cbac748a7e13085b8ead11131ae17c890b50c973326409eca9998cdd5fc31063cbf34a45858a453764da2c93a7311a1951cf6a74b0e6c6366

C:\LabZVO\optidevec.exe

MD5 01b1255701d529b787dbbd24fbefa25d
SHA1 4aa15aced1bf4e9b5a75f77c4680a6b8b7f53d0a
SHA256 e29118e858b820a30ffd55d3419c6d175b04d87ccf38cc0f74d155331a4fdca6
SHA512 3a965796d8d0419f0dae1dd47af96d76b0c47a80b7c6a6490701f06bac63abbf2b6ec7cd17cb19f30e163eb513bec0103202f72b45e5ba8e7ea3d09628ce8c0f

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 60f946a8ff82c9507ddba9db39450ac6
SHA1 d87a24b58b504ebfe48bcac8232bfa527df4ed67
SHA256 f9f61ee0f97f271d6969213531810b42e2d786d04fc027c987c020367033e46a
SHA512 71ffe46aae665ca596433d7fdf32627eedfaf191041436c6db8c21be9502500c29d67f78262cf0b2f0f21a15dafd6c953eadf632457d348a1c2ddf57e2cf7a9d

C:\LabZVO\optidevec.exe

MD5 63a0ef76826092fea4e01baf01c034cd
SHA1 7928773c93e5415d90fd843aab4e88e2aac63b3e
SHA256 352b43cb6571752f0384b3ed426685390fdd95e60df6c0b18aa1f88a8218eb8a
SHA512 b2733d1ed6b87c98dfef20ace52c15ca20dff53f02d54fd5a6c2b737b9466b7558f984a590f2e4ec2e2d30c0096bb1b2173787d969cc3ab54f96f3428c03fb0c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 22:56

Reported

2024-11-08 22:58

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocP8\\devoptisys.exe" C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidXX\\optidevloc.exe" C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\IntelprocP8\devoptisys.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A
N/A N/A C:\IntelprocP8\devoptisys.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe

"C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"

C:\IntelprocP8\devoptisys.exe

C:\IntelprocP8\devoptisys.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

MD5 d9355b932a2f3111c0a844777417eda4
SHA1 35dc36a0a4368e52d47d1d0f6cf6aa0654fc3a42
SHA256 a8370d80f6adc6132d4323af460a2939819e25c70f0ed75028c647a3803c9be0
SHA512 8e9c5ee9f143abc570b1008e0edb62ffc357ce61c58116614a3bac3d485fe5c33e3d0365b28ed938caef29d76bfa205bb920f2d4c6cefd0d8b721511ec9bfbe6

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 fcaea7b76b0e21bf60930b4909c0f057
SHA1 9445e986c1c73656279bba0e4cb22c35f1724243
SHA256 b2b72fb66b9952d800fa3cfcb0d34219d17396a8d32398a0c1f00e5d40a12472
SHA512 617abd0b56acf5605c0382306d2c8ef34e7f9e18cdf19a77f9b03e59eb918f3dbf62307856d7a95f8b65797c5934d1b23855ef3b352c2c03bf6f50594da9171d

C:\IntelprocP8\devoptisys.exe

MD5 0a6404cc3bbf2135abcfcc84ea75ae6f
SHA1 dd2774bedaa068ae4ba628c84c16d08063047bfa
SHA256 f4fb96614be3ff20169ea1700f2d1a9ee42643b7405fefb3fd6cb9e919b50a46
SHA512 a536c2c7f7c108b6f224324dcf6cc2e13a80eaa6759b3f15e6b1e8588fadf1ae1dea2b836acc9c3b3a1acbc8b775a837fc45f6415530e93f328df0869409f345

C:\IntelprocP8\devoptisys.exe

MD5 a04b09f03eff3192c60700c54901ec0b
SHA1 6c3399d1da12a0312dc05fe95390d8761acb78cb
SHA256 b660ce4aeb3336d9309c3b4561615cc954b342a7cf427aceb6472c39760100a6
SHA512 d7c6f1b954fdcf1f867824d8e98aa30b39595ebd6ce75048220d0ec9a306feca7a4a0f6eb0f0befb7d4f8947ae1c6599316cbd02ce85773446d31287266f08ea

C:\VidXX\optidevloc.exe

MD5 55e5583b4ab728b17c5b3939ee6edcea
SHA1 72522072be08beb75fb78497b1a8cb28a12a5f14
SHA256 bd991b1100364fe54837dadf697935678b2d3f8ab6a68f900f333d2b9b9b2425
SHA512 2777032158ecfb8d3ed613b16505564a3ca37c0ce7eb7d2c51651345b4de8c5e2bdbfe99d8a4198cf689200047e9891c67fef952c70b32977fd9753df00eb782

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 785c54c5d24eb900c7fbabfd93ac2250
SHA1 1af2ae20cadfa75423c0142ede5c327cd2e5c268
SHA256 0aad6d062df8cab5131fb9b7c21f629114de9109b67753ae829c96ad519a487d
SHA512 c4e45ac62fe63cbfb14af8bb1ac12657ae54817d7fed4c3444517f82d8391fb33bd07059f2c7250c5cebd7ae5abeccf389fae50a8a5860a3078f6fdaa41c40bc

C:\VidXX\optidevloc.exe

MD5 fcd715620aebe94a77fca5e29bd4db67
SHA1 02d5ef7053de1e626a8c44b81e41a097ac06b13e
SHA256 898fa0b796d2f6c4486990a74f22e56a29ab436ec6e7b0702310b3090ee36c74
SHA512 9ddd12107b0c0594279aa0270542a7c61f7debd48125934c3df9bb178d0b00c92497b1750f65474ab049b7cfc70895d48d2da674195fe4ea68a7f07b7562ca97