Malware Analysis Report

2025-04-03 13:57

Sample ID 241109-2ahefatdqg
Target 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN
SHA256 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ff
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ff

Threat Level: Shows suspicious behavior

The file 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:22

Reported

2024-11-09 22:24

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeVR\\xoptiec.exe" C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6F\\bodxec.exe" C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\AdobeVR\xoptiec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe N/A
N/A N/A C:\AdobeVR\xoptiec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
PID 2068 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
PID 2068 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
PID 2068 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
PID 2068 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe C:\AdobeVR\xoptiec.exe
PID 2068 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe C:\AdobeVR\xoptiec.exe
PID 2068 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe C:\AdobeVR\xoptiec.exe
PID 2068 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe C:\AdobeVR\xoptiec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe

"C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"

C:\AdobeVR\xoptiec.exe

C:\AdobeVR\xoptiec.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

MD5 1ac98686c25d9f3c9ac2ed826fdf1b9b
SHA1 d947c020f3dd9feffea7f7487955ac548494a55e
SHA256 228204d6eff5fac80c026e3cddebe352edd33aaec2a47279805fe7f198581c89
SHA512 7ec6a6a3117c481b5abbabd6f148ab587db1c9baa67ff7dd02929c379f438f110c3581ff1c4219df015dea39cbc0ec6dad8b31d76e4e9543054782583568ea43

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 05ec69ba5ae0a8d217c762e35de75606
SHA1 dcae221f4f5b13cafbe0806a700ca63d3f993875
SHA256 b2509ab34931061149e0569c6363608b019a8218b6de01d728a50689ef700df5
SHA512 3bd3fa507b06785b0792eb1ea764a614719659a6225eea86080508a2e5952ef05d949de4234b173f2a639b89a509b20c949cda7a37e1a262a8e67e7672bae911

C:\AdobeVR\xoptiec.exe

MD5 ffc5d6fcc4066adf6bf1e89631522ffa
SHA1 6e747f56b2ee1d8227b717f6fec4792830b98087
SHA256 f333b03ff48ba246eb27a47e4203a4938197333adceeeb04c7278fbc20779fa3
SHA512 15c478e45554881dc3afd5664c09c2a5cc6462de56f1bff0454900ad12d3e0ffdbe0923a7b5e39cc6f1aded82c57291cd7ad104d4a1acca438647a3c09c85bb2

C:\KaVB6F\bodxec.exe

MD5 f6cdc83b7b8cb2f9fabb05ac2fb91298
SHA1 c514c173940b24002c06e3a1b9cf3183dd60538b
SHA256 915e8eaf9b4727ed524a9fe50ed9a03d97d49886ab90bb3d9605feacb9f1dec3
SHA512 0141c11abba72ec6d1b94d704cfd6fbe25cbfe93652390500e455a1a8d87c32a8f8a42f91f17772884eeeb48ddbf228d8b5ad5b8ce3a622ff9d7bf58abba4ab3

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 ebd011a96fd5aa8e4e854ee7ea97ddce
SHA1 606654b2b5029469b4246a94ac188e9bbbee0604
SHA256 f0cc27e10c75fce16e6e1a47abc8d559cd97bf202bd2f74f584f06b8160bb443
SHA512 4f214638e2341c54bf1a9f5fe430079501175b8f37d38b1bc0731b69713f1b8aded6e5f764a7dee0f7886596518c66d3c676de1e69df792eff5f0f39e6083109

C:\KaVB6F\bodxec.exe

MD5 a0d93c62bfe22f0d8bda734267d7a2f7
SHA1 70c59b518bc986cac81cc5a181db4b9635e024a1
SHA256 d05c38f14d0ac21cff9c82bdc5061b764c7223ab560a27b3bd4b0a207c76bb34
SHA512 820e30e33691e8a251318199971155431c260c2b8731f29d2b5adb2c90f6c2fa6fe6300ca243d0e45c4f6c91370ef92a773264b361376dd44c2dca87f96f2a30

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:22

Reported

2024-11-09 22:24

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT0\\bodxsys.exe" C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJ6\\devoptiec.exe" C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\UserDotJ6\devoptiec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A
N/A N/A C:\UserDotJ6\devoptiec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe

"C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"

C:\UserDotJ6\devoptiec.exe

C:\UserDotJ6\devoptiec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

MD5 851e07c78a7ce4502537a9d70d5589b1
SHA1 adaf3d3b146cbe9c70a0057ff4d6bdd16e115d72
SHA256 aa0ab3109739c9ddb325195ac92800aa72e8c0a236b1904094db3b656d257901
SHA512 ef7c12a1c7dcf69ec11d5fc19167672d4ac5667ffa7a32254e7e86947c03a131daf3c672b051c2d44d5cdcbbaaeefb255c347b07d6737218e9102385fe6f2d2b

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 4f74f283b716bd69e7d3d29dfc64fd48
SHA1 0e9ab656bdeb3894615c9f60f3d5d0a59f421ca3
SHA256 b9d266740c7d3b5c6d39e6187ca6609fecb5b1f0b0b056c28ae5df5ae24d8c66
SHA512 26aac9e3df045904daa4ae590f4500d45784b73478a4e2ddb32c954aa00a7d1590488a03ee9926da0c9b922d291dc19a1c9d08f0fcae0eac4a7326b682cb509c

C:\UserDotJ6\devoptiec.exe

MD5 0b3f97bd1d3f58c8cbd4c18840bdd73e
SHA1 2c4350cfe89924b1b93ea6302f0f7c01bdd6c56c
SHA256 414af5c0b280a502f70ca3452029069161b1e06ab191d6e6960a42e1f0f8a4dd
SHA512 2974e4f10224f839f6fd052313cda4ca47067c3d6990205117d9ffc0344f0f4585770d37cecea5c4dd6106416d3d72a97726587bc28b005d6b7f75443027f0eb

C:\UserDotJ6\devoptiec.exe

MD5 dc0e6f1a84e2c7c12fc716eb9030c8a4
SHA1 5cc2206705d7eb613729e5ed6c3b7bd495c0cd12
SHA256 aa99df64c13a406fd8f01cdae452d3d12cb76d3821a3eff01a060e3b15944ed2
SHA512 a99f148a285cd6b572310eb4141917b615dd57f4dcc1e56f9942ae75b8c2ffdae860267fae9a877a4a94dbf16ce29dc0017ca95ab3456c6ffa8eb468114c7e21

C:\MintT0\bodxsys.exe

MD5 e1497a96257006caa28d9c50361ca0e9
SHA1 c6a9707192a47a7b8dc5e3daaba59fde6d853689
SHA256 e864959d0aac81ac1a02f0a0749d0cfd71b8e006a6789819f72c649aac78ed48
SHA512 893c8a4e110b9cb3efc35368f90b57e7ee2b9dd7f132d787dcd3ca537bd6d794b545606eb662142e26aa7211cf94614611da746c2797fcd90ff2ea5bd6aaf177

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 17d9436f564aef253fe8e831a9156832
SHA1 a67299de03e0842cb77aefdab20bb5f8a91c76e4
SHA256 c5770df1d673d3d36977ad36d345b7a56ae26efd6b08221a154041adb6cc4fa4
SHA512 a0e9705af92c518a9e3885167e90c46b7da6ec33738ad445b72f76a5965844fb52aede2f19f019f42353d21db34b35ad2fd1b9965c7b655187b4b708484ee363

C:\MintT0\bodxsys.exe

MD5 196a3addf52a73e1a2eb99adc0ed2163
SHA1 0d5bf224e5db9029151778760116ef351510362d
SHA256 faf53b27747c764b966ca9ebf81208f8711ee4d5436266bc066520369a3c7136
SHA512 350670b16037df5f9b8d20264a366aef1a78142ba254435ffbe764b55ec0028ec90443864205bd2a1f7ad33c4cad87a590aa3530185b4024ab29f59a0c480854