Malware Analysis Report

2024-12-07 03:03

Sample ID 241113-yf5v5sxnct
Target 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe
SHA256 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77c
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77c

Threat Level: Shows suspicious behavior

The file 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:44

Reported

2024-11-13 19:46

Platform

win7-20241010-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNQ\\devoptisys.exe" C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIO\\optialoc.exe" C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\SysDrvNQ\devoptisys.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe N/A
N/A N/A C:\SysDrvNQ\devoptisys.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
PID 2292 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
PID 2292 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
PID 2292 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
PID 2292 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe C:\SysDrvNQ\devoptisys.exe
PID 2292 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe C:\SysDrvNQ\devoptisys.exe
PID 2292 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe C:\SysDrvNQ\devoptisys.exe
PID 2292 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe C:\SysDrvNQ\devoptisys.exe

Processes

C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe

"C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"

C:\SysDrvNQ\devoptisys.exe

C:\SysDrvNQ\devoptisys.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

MD5 aeec5ebde2215ddd4b862121cf1799f9
SHA1 73a5946088a4d454164e6b2626de828a6e38baa5
SHA256 cf69ddd7d46476a69a8bd85561e5d8f92ca0c9c36ddbef13e67c79a5a6a83dfa
SHA512 aa5ac7e714d5608a9eb05bfd8672efac2e4a06ceae7e40baee0ea31d26213ec00ff2ce9dafbda48bdc59ca72a1d9f638004ed8c43e72af9d9e41602bc5f4d353

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 b7cb8726c8ed3a0ea5e43d346a916e10
SHA1 fd701aa13074eeb7e734dab2f8fb1c9a2ef29644
SHA256 bb73e1d35454a6e74998bfbf50af49bd650f8b4b3aa66d9d1a27bb9226212ba6
SHA512 2f77e80214bcef1529bc25a5556473a8fadf00747830f82278bb362cddd783e17b06cbfeb59266aee856433699831f9f4602fa5936a5ce212d743bb69f16106f

C:\SysDrvNQ\devoptisys.exe

MD5 f524c6a40f0682c4b938be53f7a20554
SHA1 6bdba2d6ae8b1094670ee639d596e6a21994cb05
SHA256 b550c5c9932254894e4de262927b10ca3888fdcc0da03e5bdfccbf949ff68a63
SHA512 5cc2d72bfdc1e14a73f3b863b0dca2b7b01f0235627c054f9771051db53cb68984f37d264f66f60570543007b2377e92612e93c74da3caababc40f9f7337d254

C:\LabZIO\optialoc.exe

MD5 95ec9e541711f094e40dde8e4a9d303a
SHA1 10e04f1166a36b638e71005f8e154155b02043c5
SHA256 8c8d832bddfb55e420ffd7ab803ac31250e575c76154e38e40da5559adb6b8d2
SHA512 61e599721f64774198b15582317b64339e0feafd8bafefbee29e854568808c2724a0b029268a3c89e5c1431bcc1bd9d75a82422c99c1ebac1ea7ba11496e39a5

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 d927ee6937f70dc8cd9e0df3d6b97be7
SHA1 abdccdfc7f1459625d8f9f76a07ca6d60e803202
SHA256 9ad5f4359b4c94a8c69ed6203eb6c3e29db3195d7c1caac99b599db7ee305ebd
SHA512 7bf92157e24b6399a6b675cf6d84fb2948245345791d5b9975178b8b35a222046ba7a9e56919e12e371b41e5ff56eb2b5c97f2267dff5e5a065952ccf47a3fec

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 19:44

Reported

2024-11-13 19:46

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4V\\optialoc.exe" C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesD6\\devoptiloc.exe" C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\FilesD6\devoptiloc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A
N/A N/A C:\FilesD6\devoptiloc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe

"C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"

C:\FilesD6\devoptiloc.exe

C:\FilesD6\devoptiloc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

MD5 59e16ac7a32a2e1349f316122321c304
SHA1 1ac5fea011b358999456f1b3eff3cb76602c1c8d
SHA256 8498eea9026373609364ab12d2fad0d0bbd1d9c9ed3494bdaeb3824034916c9c
SHA512 99c169d3a18a49b6f8a452ed0bc6369bc3b8ac610eab5f5c2288c288eeeff3e861493fbc80f0b53bffad3886812f0f2b7ef167e06d8949dd272e7e845eb729ce

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 d04452ab047af7adeb76577228048847
SHA1 aa24307f7179d393a73fddb2f8e80723707a4329
SHA256 5c4202a1cbc5e5ee1363813c68140ab94f6f28ef3eb9cb9a0b603ffa49395fb6
SHA512 0f4b6811263a9ee79471969dde988019251135c241465f88653a20601c15e9d5141c8c74bfa616908a543065f91f944c8ef072a0c17adfab5ed0ced67cc99d38

C:\FilesD6\devoptiloc.exe

MD5 ef732a9c8af24891e80458506d340bbf
SHA1 e62ff9da3bc4187fe971195241d05be8b0080f4f
SHA256 0b749aa1acbde88693b7e0aea1b210dbe8939e54101e3ed4192b12e315db213a
SHA512 3e8c3b4cd8ce0d355178c5b078de181bc1bef56f9cfd1d01675747d082abb342003899aa2f498fcfdfe91ad1edfb48b4e6b552570088a0ffac3cdf3fb74873c8

C:\Vid4V\optialoc.exe

MD5 e9eabce3921c659d6084f90c86a99f8c
SHA1 8a82f67fd961308a6de6d34e516f213fc4900eda
SHA256 685d9f2748f4edeb4bef0d82e391185cfdaf7a037f38505fb372753a5f94c085
SHA512 21d938164436a199febdadb5f4f5a57a0626eb73c32cbfcf3d6014b6b830b34b2edd74c531c9979d74ed5c569585bce8b12d54a4f3fc7911185f402b33209a63

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 b41e6da08f66284d1098ca9c9c297038
SHA1 a416f93894d6f477e8f69cba81d663c2c898717e
SHA256 947c5457d49d9105a5c68a2e6283bf891aa20a050d9fde0d5273a5c21e969b39
SHA512 716920eee56a40831ab0f986ff80333f0171809856c736547c515fcea5cf6bc1e784b89e64089ac455d9f65d1f7b6f9fbdccedbc8face0fd0cea72119b167cbb

C:\Vid4V\optialoc.exe

MD5 4f22d799849ad951d457b82eff37db75
SHA1 4e1063fe8d636bd72f9cd680c689c23c67188ea6
SHA256 6d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948
SHA512 9906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a