Malware Analysis Report

2024-12-07 03:12

Sample ID 241113-sca9gathpl
Target 7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe
SHA256 7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53

Threat Level: Shows suspicious behavior

The file 7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 14:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 14:58

Reported

2024-11-13 15:00

Platform

win7-20240903-en

Max time kernel

119s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLC\\devoptiloc.exe" C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint2P\\dobaec.exe" C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\IntelprocLC\devoptiloc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe N/A
N/A N/A C:\IntelprocLC\devoptiloc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
PID 2336 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
PID 2336 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
PID 2336 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
PID 2336 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe C:\IntelprocLC\devoptiloc.exe
PID 2336 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe C:\IntelprocLC\devoptiloc.exe
PID 2336 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe C:\IntelprocLC\devoptiloc.exe
PID 2336 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe C:\IntelprocLC\devoptiloc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe

"C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"

C:\IntelprocLC\devoptiloc.exe

C:\IntelprocLC\devoptiloc.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

MD5 ca29bc144e8cb1dee1920e38c6eb96ab
SHA1 57cc2497137b66bf3cd6f6d4951ce7044f5b80f7
SHA256 66d566937693c61a21fa477711d8f88b093810d5d0542718d7ac71029a822cc6
SHA512 8080e0e6359cfdfc68356f561e6f2e1d3ce493ad697aa7a06b2d693aaa6fa8ecb32e54838495211322e62161f4632670d0ba0db7148c380401e763ebfaca292d

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 8c8c825a9b2b8264cea47337057bb25c
SHA1 cc938120da21a3798c8009de1ac936ad85830a3e
SHA256 93d7211ec45967e065d98d35e3cca99327673df9e7d07aff910b882c442ab40b
SHA512 09ac42b5d49d539b3d6d6315fb32b694a4f8bfe91c2237e5727cf7002b2a0b385c8d277e1a49b9b1c832e1282ba294eedf5be2f29ef6eccd11f8275d57b7df70

C:\IntelprocLC\devoptiloc.exe

MD5 9d60c2a75ddd0f614dc6215454f1bdd8
SHA1 47ad8282fe807eb96914ea59f870e6402e046e31
SHA256 eb8106f2843b15d437da25484224dd996af80b288008a8dfdf5b0b68b8f36e87
SHA512 ad02eaf477d367c29f74a22392272a1a7abc1251de3b9b6e7e59932eae1d81b10d378188d460ebe317fcabab305cc5caf914578f0d7965d218db19a626d028ee

C:\Mint2P\dobaec.exe

MD5 7b262036e19c1815a09ec3a52ed29eff
SHA1 5c22e423f5e93d6037afa4c5f71a7c2afbf782be
SHA256 f727cf468fb028722d4ba0c07d3316e876e36fa818a0f4838a168a5b33a5600e
SHA512 9976a544d6199dd9ec41f8b4d203596c714e309170ad3d1a87b6d3992f859109ce1034d1dc216ac4c83d4b86d458008a0ce064e28d296d0df861840ab81ccd53

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 024874f682e6431a26d4b6a72890df3e
SHA1 c9b1f9b39a73d63fbc6c2601b8bbeaab1a7eae88
SHA256 a389d831492ea0393a05b5d51224ec714bf2a278fa88e2da5933ee6c4b8254ff
SHA512 f85f41f84ac24b41f2e7f72b93ad703d623f8f031223c0ec585f604b6750062aec3c2a8f296aa9d4c367b374735ce0291ae7171be848f3dcd13801a3b28e3782

C:\Mint2P\dobaec.exe

MD5 44b643360616006494c83c107ac8ba7e
SHA1 f1d48e3338a1a730616a06248b79f51a96f7b6f3
SHA256 d7ebcfcdcb879862221177903b1e9a20b4d92c9f7b311b73e00d0d7ad4e2eb4b
SHA512 bc6be8ca432b966336ba72c366b3947f32c22c260538c173e2f6ef7b1d59ef9e0e538099d5b2452611400a37dccf32e35ca40570a8f2fef6748dbc5a924c795a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 14:58

Reported

2024-11-13 15:00

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc88\\xbodsys.exe" C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYY\\bodxec.exe" C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Intelproc88\xbodsys.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A
N/A N/A C:\Intelproc88\xbodsys.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe

"C:\Users\Admin\AppData\Local\Temp\7f92eb0b9942f79a463a7e756ff19e1611bcc5a5871054a3424e7993fe4e2a53.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"

C:\Intelproc88\xbodsys.exe

C:\Intelproc88\xbodsys.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

MD5 a4df6733c13294f2aea9f1526cf09d0e
SHA1 7a5b8de0ff4c301b907487abf544ac9ba29461ad
SHA256 42eed8a2acfb95f787a9ada323570fd6f66230b83a648c3fd9cfd84128590368
SHA512 4b4b386000ca7010e2e19741bb7c0fc2cc5c05187cd8339526e2d1da2256991aab0819e1567b7253ba4f41bb05830226ba0a8e11b377a3546dd64d1fdae39763

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 46f0c2be79698101122ea9a87379b158
SHA1 9387db34837c97cf07303c902bdafc9069de0596
SHA256 b9d8cff9f4d5e987abd82c70a2d408f63891808da6a5405050681cef2984eda0
SHA512 33bf32faf679af142bf55718615a84b604adef784ef24e7533c04af30ccb52a3306b443e6e41daeba28b2ce4c62d43071999bc4c74fcb8bced963cf8b009524e

C:\Intelproc88\xbodsys.exe

MD5 2bcfaed39cdaed9f1b74677ee79959f8
SHA1 1d740c0b5f840dae727a4344a5484a1fdb014455
SHA256 27cd06389f6be1715df825cd81ed1749205b06c3585fa08f358627a3c50b6294
SHA512 9b03986143f68b0072175692c9e1db2d7bae39858015da453455ae586b9ca0eccae0a42703e47bc34c09f62f2768278eb8abac653a9530b098b9b0e01cc26caa

C:\Intelproc88\xbodsys.exe

MD5 922dbed9e5303ccfbea21b96abf78384
SHA1 0d0cc734bc6d4a14188e3356a9ea483414721b8a
SHA256 33eff3455c5503c57066f4de4cb9309b629b7d4f886e96269221656dbd8dc608
SHA512 60a4d5a5afc097887bc65f4e500df1a3d138c6f676742beb28331ba3cc5a413c5b10dce63ac9eb8b0b5f380a68743649cb5dad8dcfa80c9f64560a828c495105

C:\MintYY\bodxec.exe

MD5 02b330ee846c317538d757d29f60eb85
SHA1 e6ab1170840cb29a7d5b2713d6f9d723820a9415
SHA256 a5c7358497e9294fde04b457dfd36325785872c28fbfcd98abc076e174d04577
SHA512 f92b970ff58d8d810691e4b0445542c2f587390e0ebb75f31c74c647164daa15bd7e3be729826e8ee62ccbbc33dfbcb6f947f5bce23a4616e40e13d1522ece6a

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 45af6150d5f2c59fa0492dd983f2b737
SHA1 9695438ca85954449fd04370404e6582fab3a749
SHA256 4cea8142f48db4c56ba272c95246557d6a6a771867bcb20dbdf6994ea4a40faa
SHA512 15c24685aedd9d77410dab8a3b0e831ad746a196dec26a81b140e1fe7e2c65da9c69262e308e28ba06b8358f49ae492ef80779570c45deb25b7586d2dfa2e414

C:\MintYY\bodxec.exe

MD5 e20c643c3fc1fb02d9cc415e1d1f58a1
SHA1 b7247d25a97bda56ff406dcca613850e36e0a870
SHA256 e3470cdde77fadcd59db703803540e581d7f2b34926f693e4604749e8ebb86fb
SHA512 eecf640ab8927a20154d11ebf460751a6ab8794c776c8a0665b581109ec8b796fba354801ff8706dbefe441918ffb30e81e7ec8ba4eee74a3bbcb408cafbbcb8