Malware Analysis Report

2024-12-07 03:07

Sample ID 241113-s8783stra1
Target 0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe
SHA256 0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f

Threat Level: Shows suspicious behavior

The file 0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:48

Reported

2024-11-13 15:50

Platform

win7-20241010-en

Max time kernel

120s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUL\\xoptisys.exe" C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintMU\\boddevloc.exe" C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\UserDotUL\xoptisys.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe N/A
N/A N/A C:\UserDotUL\xoptisys.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
PID 392 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
PID 392 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
PID 392 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
PID 392 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe C:\UserDotUL\xoptisys.exe
PID 392 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe C:\UserDotUL\xoptisys.exe
PID 392 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe C:\UserDotUL\xoptisys.exe
PID 392 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe C:\UserDotUL\xoptisys.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe

"C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"

C:\UserDotUL\xoptisys.exe

C:\UserDotUL\xoptisys.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

MD5 b90ee29a13f0427dd87ff963f9762d69
SHA1 d15a78e043e723ad6e42e3d2454a8b54676e2ace
SHA256 4f2c5680664c8ee09424a27221628e06543f2553596a44ab686868d496fba168
SHA512 6e343749af5e228e5aec367510a5ce7fa0fc46d34be42019c0b8821e3b992316e2d62ef13943046bd83e860c236a1621354b3196ec7cdddc5ba4d2224c49f879

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 80c2b74db4c83c5e42a77b6fdfd0cabf
SHA1 9fe3b968e7e334640d5e2b9897649ef921537713
SHA256 62acbcb5f6b3d26fc58299788c51bfd1afea998a63350937bcc78d227fcd5a73
SHA512 d0ae42e9d39695dabbe3362de85a9140a3c73cc86623f1ba148e1fb00dacbe611e2d5ace1a47ba3b6b5392485683c896fcf4edb151c10f0dd24c6ea092d2a643

C:\UserDotUL\xoptisys.exe

MD5 56e518b1ac56f00f6d5f83055b2feb93
SHA1 2055557e9008066985053f4443bd3f06b6e5a76e
SHA256 0587a1063c4a78886206e0f2815ccc32f46fda46b0e981ce8f3a8ec9bef43ad5
SHA512 ace99bfc0dbfb735e970c564111ba99b5dc731d789aac2a5dd552a196111bf1ce2025363ade548c92d0a31c40b0db83cbb95bbf6240edc5647c245f0998c4de8

C:\MintMU\boddevloc.exe

MD5 0625098fd2bf940892a5af3d1aae37e0
SHA1 a52aaa3c8c8860099f4f9c7be3a8ceb46414c759
SHA256 33355aa6f09ce46eabca453b89ead57b18b3f747259675e4f283082e3925dd48
SHA512 828181836385e2939e50d27cca8e8fcbae5da913d3626717d7a3acd96565d256d7626482e93e6d54721571ce61df395de9a0933f6a68455f6ee281f25adffdde

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 673096c11b43900d1ded9e153d323fb8
SHA1 92b8bae7c13805a98bf261570036fd546c0ab7dd
SHA256 c57321f66c3b6506b2b8a4f1a77cbc1bb48fba4577f64a6177e0af93cd3d3abd
SHA512 b729fe17c264b9cdbf7849e4a119b014de0c3f3779248be1497efdf613775cd67e42dfa0ddff0db62be1d95328ffaf86b479d1d02326ef87f739048a0b035d16

C:\MintMU\boddevloc.exe

MD5 660523679cd4ff8d197455e7d374a8db
SHA1 49fde3fae7d6b2e272ff389ecf80f16124f327be
SHA256 d72cccd190f69996f043e091e777e584424a28d28015f72ec76e4dfb9860b671
SHA512 d254b6ebf259d337b89eaee333fb9b214440f74b740fde3bbd09b0fc38aff35213f9c69c88a3e93e9ebc267fc7ef8eb8c6f2a8f66c39a1cc3e5a9bb413e6de29

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 15:48

Reported

2024-11-13 15:50

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEC\\xoptisys.exe" C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidEI\\dobxloc.exe" C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\UserDotEC\xoptisys.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A
N/A N/A C:\UserDotEC\xoptisys.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe

"C:\Users\Admin\AppData\Local\Temp\0226ba48f062813ff523f1a75979d1edf7d04240f9391929b088186b4ad66d6f.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"

C:\UserDotEC\xoptisys.exe

C:\UserDotEC\xoptisys.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 106.208.201.84.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

MD5 a97c9d7cdc7740fdb4e58ff799ce63be
SHA1 f052d54f1b9c37906e7e6119592bcb7effa0ae53
SHA256 889c1b0dc2ff9585ce1f13a1efe95bf94268f49229410114fbb1b4e72572e6c3
SHA512 c0f55553a9b027aee186892689e12d29dd353c9a4bf83516955d9403d1a722053e2afff345f060ae249361cbc5577f5571dcc42da94b432dc2f312adfed68d9a

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 5eac93af2391656476555b471257a3e4
SHA1 30e9d3044cf06f093f5fd42c83ded4d73b27fd60
SHA256 4883bc39e8a3a4e9758a6c8a54e4bb92b86cd92fa21c9688a1ac8c5a0baac62d
SHA512 b9c605e5781e6689526831eff026739f4089c234a92731fc17d6aa730e097d2fac2c1955caa6544a55ecf9ee4cd98a1cacc91802c171380a99239979f2bb430a

C:\UserDotEC\xoptisys.exe

MD5 fae25ba94289d160769562b6f8203e42
SHA1 4e6ec792ed4d176aff9f9366319d67ed457dad10
SHA256 a9e5c7cfd1d31b8970cf82e67062fd538e3c3959faf7c0ce698d2e842cd3eab8
SHA512 68a85bedaafc75daf2bbb0aa358fe011cb5b0c662ca49246ad84c912792ce7d762fc6274084a66ca915a99f16135e9066bf8a1b1fbe0ac46610572ddbee4c5b0

C:\VidEI\dobxloc.exe

MD5 d6dcbef3a4da0afc683538a562a484db
SHA1 76f3d4c0edf855b403e4b5237f6e518bba0f3e06
SHA256 2e6f2f08c6c3373ced8df921d9aed2a274013c6623c37951fed08a9f6f4706e5
SHA512 67a56cd20a91cb7541532aeef25640005cb175129945abbe716eb87a349e646e95169587712646ffc6c24abcbe37d55920d35b367ca0ceb79f598d7c38449239

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 0badad533bce83e09048a30bc263d545
SHA1 a0c019d0681aa5e0b5f395366d3eb8ca97a315ae
SHA256 fe8bf0903ae1b959f84096ad0afd527a4253a8198442e58c2b232871563a5677
SHA512 14a22e6e1eb3102fdf7f500f0cd6d1d563a09d3f3381da6238cef3ad799d127a201ac986fb52a90f373cbbf20c4f89097c33c7579b7f9aa2af89934e395cee76

C:\VidEI\dobxloc.exe

MD5 15b5f5d5d85ddad76ca13a3714ca528c
SHA1 918d1c4221cf4e11178be6dce3906eea059809aa
SHA256 08a0d8c5370b2a09d69da75f3ebb4ba2ce5515ceaa5a3e68bd43d92f7ace9f7f
SHA512 6d71690fc7acadac62491b89f9d5d9b8f403c5c028b10329d7ce98f37f28c53df2de39ee2b4d3fc73dbcfe65a697ba25f48e6185157d086e32b86a426f562497