Malware Analysis Report

2024-12-07 03:07

Sample ID 241113-te6zlavdnh
Target c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe
SHA256 c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55

Threat Level: Shows suspicious behavior

The file c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:59

Reported

2024-11-13 16:01

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocG4\\devbodsys.exe" C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNE\\boddevsys.exe" C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\IntelprocG4\devbodsys.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\IntelprocG4\devbodsys.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
PID 2668 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
PID 2668 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
PID 2668 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
PID 2668 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe C:\IntelprocG4\devbodsys.exe
PID 2668 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe C:\IntelprocG4\devbodsys.exe
PID 2668 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe C:\IntelprocG4\devbodsys.exe
PID 2668 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe C:\IntelprocG4\devbodsys.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe

"C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"

C:\IntelprocG4\devbodsys.exe

C:\IntelprocG4\devbodsys.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

MD5 917aaa8d2ee2247c28a1287c0baa5c58
SHA1 43815268f379e30cbb770e8acc51f9764d84894d
SHA256 2e3e285b32686598f92e030d8e55378a41e03d5ebb19d746cdd713ae64ddafd7
SHA512 d488be7733e0b999df9d2cadfca8acd065b3182a00628c618637ddeb08426a69744bff98e126c98b3f169474a6d744f8648a70875e724471b0f0a05613ac0dce

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 9357d004a16a2ac5c55b3f6455a19162
SHA1 adcaa8d1c41c9db2e8f61042f3c4b4b7d83f639b
SHA256 cb65afeeee04885fdba8fd8e7749a49f797f84b8a30007d41c00defd99ff66c4
SHA512 2ea48fc49a4dbd2953e23294014ff895b1b068752e48ab23e3cc00f8b82e72cc551f7b8c76d84128eba038fe3a87b9b5f5a1c49c99a867a96507dad2668cc285

C:\IntelprocG4\devbodsys.exe

MD5 7cb60054bf77a0faf3e02689b03e6b9f
SHA1 b4536b626578a5923df2923d187b7ba1d5eda377
SHA256 2ed3bd06c619269c52f387b7744507bf1cf70c571b2d941e690eac6f6e4d09a6
SHA512 1ad14c396df3f78f76c1c3b46786879c4b5a189a9c32fe16f2f479c4190b6fa6c41a3a302f0c4cd0ed6aff63a676744b20b09769cefcda5f820d8aacc708c2fb

C:\VidNE\boddevsys.exe

MD5 46dac6d63b6dcac0378582308172c3e3
SHA1 640c3125ed550c63e00faea36b0803f9e9566f2f
SHA256 de278a982fcab9dc32d417fc3c52bc9f8f319ccc8fb6d1f7f8eea74fe5c652c8
SHA512 ea31a8ad9227ff937f1215d6fc271c7e966c5e32cf1da85ce7dd54e5a5cf8d6287fbb133d0e050837376a02a5572d41bf91948194f60069d8079c3dfa5162669

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 f89a81c78e51b1be641eb5b1027c438a
SHA1 af53ce82d7a04ae20843c3def27892595c50aa9e
SHA256 01383279fb2c857f9243ec68782c1aa52f4d8276c7f6405b7700637e66ee742a
SHA512 a91374530404111f2823fa49a0b00c69a23ae42522d288156ab1ecb8aee8d9f9d9310a06e8b10c8d78186a0ba94ca69393d533ba4cff5da049fbe55e291cf559

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 15:59

Reported

2024-11-13 16:01

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv92\\xoptiloc.exe" C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAH\\dobdevloc.exe" C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\SysDrv92\xoptiloc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A
N/A N/A C:\SysDrv92\xoptiloc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe

"C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"

C:\SysDrv92\xoptiloc.exe

C:\SysDrv92\xoptiloc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

MD5 02fb981625d948f2e74283b7e7ba2da2
SHA1 6cf6bc1a2bd7d92472516cd03781d07f0e6f2e5e
SHA256 dc18435782586f5566a58ca3cb648837148488f3399c648a97caafcba389560b
SHA512 a3550013aa290426dc87fd03b5fb729154b53aaee9a66b8f85081bb983c48219a1937f6f1a98e43067ef1d8cb25a2c0a886e4b14f95e8a80fa3d456dfada0e95

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 31286424b4ecfbb182ba9e0c43da1142
SHA1 bb6995ced19e07205cf462e6b96ddcd3a2d2c617
SHA256 3f83e721d01ab7e914987d2e02eb2133e519757fea0cd49fe05b877b5b724db5
SHA512 935d1f08027ae31f334882e63cb69fc8d705d75024e21335c4b88737dc5b4003c260b50f976ad669cf2948541ee74cd013ce49b33bfc900cba6597129bc6b5cd

C:\SysDrv92\xoptiloc.exe

MD5 efe47d46e92950e1182864074efcb04f
SHA1 80c0aa6afe5c374040d48870a10db601ed9ce01a
SHA256 a179fd1367c0b1922d6cee252bc0881866737d249a3fc2541df0d12ae20b1b9f
SHA512 a5151261599913874d6ab2e1c5060219f9caf850eea4fdf46601a99c7b5e1938ab861630794730ffb72bd4aacf18146a3739f75277557ea56b174d11dd6e5ae8

C:\VidAH\dobdevloc.exe

MD5 db5456e97221c77f835fbfee9b37bfc0
SHA1 fc378c0892aae8b3ccadd6726c2f3e02e28c4de1
SHA256 8e84377cee6995a871692b8e0c362aa5985329d824abab1c9322447f93909bd4
SHA512 b862e39c302680f8280d9075da7dcec461776dec6f4d39f2db557ae87f6e577dbdb4c0b637e4174f96bcab0771ae54e6d66d960aa9f9abebae22385c4d393196

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 bb60c3bdf0fe3469e51590ddae8a4b0a
SHA1 c92fac64a14b51bef1d913fb7227efa271ee9286
SHA256 91a4a219e9b2ff162c8faa405325004670e1c12dcfe554aad76f0ab185ba9464
SHA512 c0247a57006aea24be3e8bb66e200518e7bf4112b630a892f1d2fd7005ff6c6f683748d3ae080b9b7ccf7620a98495bab72cd51a3c46a2dc98f591b47d873a22