Malware Analysis Report

2024-11-13 17:36

Sample ID 241110-b4ebrswlay
Target adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335
SHA256 adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335

Threat Level: Shows suspicious behavior

The file adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:41

Reported

2024-11-10 01:44

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZT\\devdobloc.exe" C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidPS\\bodxsys.exe" C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\FilesZT\devdobloc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A
N/A N/A C:\FilesZT\devdobloc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe

"C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"

C:\FilesZT\devdobloc.exe

C:\FilesZT\devdobloc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

MD5 db58bb8b79ec2ffe155c028bb74dca1a
SHA1 2098e7f0b41a47683123fcd4ad6a5b5cfecb01ee
SHA256 08c39f4db71c32abb28dc8240ff7505f6a5216f89218561ba2a2308b32e7d2d3
SHA512 87ddd1f7ee93e4d111dff67050d545d898dc23fda816af8630c42971c34d9423d98a6db7393e681d123f59cb927e4f1f873e443f00ced9d853ecc1e145a5f142

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 bf2d491e5b383a49ffaba18d2f9877a2
SHA1 fc843b4bfe9ef71e9d34cdd1fd869b37b88096ad
SHA256 131bed842082962b2532dc0738d11e3d3fff246080528a309072fe496809b54f
SHA512 2f554dfdece11efc9be1a5e6528991e8af4b3d821188dd3d1cddad2a8970ca79377c3c8657574752d88105c9738ee72a1707d4bc0803ef65e06776851a78bdd4

C:\FilesZT\devdobloc.exe

MD5 0aab4cc7a0f4b5f1e7eea38f4b0afaa9
SHA1 c3bba314ead38fa9c2df18ec9530235eb5b34d63
SHA256 334fc87481958a81795c1db2656027f94a618348ff02c5e3f1e3fcaa2730ec30
SHA512 141d11bff3f7b8d1dca219fea0897ebc32cc957a9fc1c19f3c715f39b49255e8dcd681c47cce504f5a3668a04ca6f23fa5e16e1acf41a3ac73e960f2b1c57089

C:\VidPS\bodxsys.exe

MD5 2875d101598bb9601397f40462f2ccc6
SHA1 ce1bbc2ad56c4a756bc891d7e962ab8d5961f0ae
SHA256 fbbaadda49a958eff1dd08d9e2202c027b9d05242c8a626a7bfd88c18c552193
SHA512 4bd01f6f044c1c4f80550f56005a50d251d89e1c83efe638b58f7a344bfa40329b64763f9b40c62639863d3d24c55f8e7e80117db42c0c5504d1564fc37b8002

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 9651d41196231bf96964db49aaab1c09
SHA1 c7c14f6c8c2873cc05e64806d51ab1d67c2d0583
SHA256 51d21e9ce1580a6cf3b104ba6982de60e1491ab753caab999ca5717d9db29fcd
SHA512 9efca22809bef33fe60e55b49647cb172ca5c07e0878544e7b86ee988e1b200d9387d9c7894c56622833b4158961d0ac954fa4aeca8803ba2c60050d88ae113f

C:\VidPS\bodxsys.exe

MD5 323aff53b53546ecf54cd68758600a53
SHA1 3999f46d3060eb15ca5000d7cffe5f04c067b544
SHA256 5f6f1d46fa3519dd8b078c3f89471f06c08c6445180fe9911afa4bc32f91df3c
SHA512 7370bee0b605f749b12f7fe011190b02b38d91d968b94bf3d704888283483e5652e64ac0f1f30da98877ba4ea74b555fec157e4c0bb730b4f3324aa53a6ef0d2

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:41

Reported

2024-11-10 01:44

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5I\\devoptiec.exe" C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidRZ\\bodxloc.exe" C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\SysDrv5I\devoptiec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe N/A
N/A N/A C:\SysDrv5I\devoptiec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
PID 2756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
PID 2756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
PID 2756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
PID 2756 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe C:\SysDrv5I\devoptiec.exe
PID 2756 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe C:\SysDrv5I\devoptiec.exe
PID 2756 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe C:\SysDrv5I\devoptiec.exe
PID 2756 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe C:\SysDrv5I\devoptiec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe

"C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"

C:\SysDrv5I\devoptiec.exe

C:\SysDrv5I\devoptiec.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

MD5 9a3c868a49c2dc4f6c610e710fca6833
SHA1 f27bec7cb945da454421e6e764244f7daae54f78
SHA256 4a7d7b808f1fdd6a25c2e2885cfc2fd7fdcf1adc79ba15c35a1f26a96c1c8ddf
SHA512 79117f659f1b229cbefff646025f775636d49d0e67b0d1f544e8c773ba70bd40116129aebfd6470d73d8262a895594836459209d479fcd1b9d54b879db5b1b59

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 7021160d1d1850a1df1ce6339fc1785b
SHA1 2a848deb9736fc61c4f80683615b83b8d3d70b56
SHA256 501fd2364f86f73c72b8d3a688cc05471be4680e1ac98de0606d7e273f716e8c
SHA512 87ca3a59e27fdc5fdcb82ef9473ceb61863aa653612d4a0a2e86d9375f88c09baa7a81675faad74374d935f610a54ec22cc95d88b4f3c28493c4fe1a7284f7ef

C:\SysDrv5I\devoptiec.exe

MD5 16a4bb0fc3d5c44be3028068af1ea1ef
SHA1 3525da0805ed7773dfef437f24482b727389e9db
SHA256 cab09a5b3c3d84c5b8a2e11a35c3fcb95b6436b3dff8502d6b224492feb4c94d
SHA512 b487b3eb68c80afed0c6cdc0573c466508b36730b7cb654a78fd17c162030a3e5fc360589888ecede135747d71fa86eb3f8f59425aa66780d4645629b11efe9b

C:\VidRZ\bodxloc.exe

MD5 4b15a8dc60fb28ba194308947f8d0bdf
SHA1 addcf6f0cc5dc9577f5354dd3efdf91843caddb2
SHA256 eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152
SHA512 35c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e

\SysDrv5I\devoptiec.exe

MD5 e6506fff8a5b71e4f18698f6a66be1d1
SHA1 9de54cf31065efc84e50a43c82a04ee3220f88aa
SHA256 768f37a2372d4198d2e0efd4f779058de772a1dd707d75b3a0915860c74c81aa
SHA512 09e8f034197d6c5c7479a8df2bfdb1cb31c1d5df75910cb01373228457089d5710a87fca4242cc1a672e9b81de6ad87b044e5fb26319fad482f18e5297fca277

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 46ab6e41f27ca2a473f361a394b6178f
SHA1 fe90af481aa021b2624e4ea4ebcd80f3c36c138e
SHA256 25887acb50746a08253cb111854b2dd0152fa92fad085d30c7d9c4ec51c47332
SHA512 d43d4b508f7e6cf696ded3f8e46a54e44ae359d574edf5a5c43191d8553757b082c743165f8554b414e187cbcb59fe745b3a998b658d803f9efff7ee950f7646

C:\VidRZ\bodxloc.exe

MD5 0d3beabd837f3aef510839ed6d446a61
SHA1 f210c1cabd85693033210b8bb5142b271dd32e2f
SHA256 bc2a0eac38af86e2a40b63870a7b43c32821a44f7020b0de846343e95f601cf5
SHA512 bb36d1275372c134f29d6ae1c322408757dfa25ecc0ea64994d10d07c2830f576a1befeff5fa8b5f4cf8c41fdd1863de120bb728704fbe8f411f255dcbbe298c