Malware Analysis Report

2024-12-07 13:04

Sample ID 241113-yyefxaycrb
Target 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98
SHA256 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98

Threat Level: Shows suspicious behavior

The file 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:11

Reported

2024-11-13 20:13

Platform

win7-20240729-en

Max time kernel

149s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZV\\xoptiec.exe" C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintM7\\bodxloc.exe" C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\IntelprocZV\xoptiec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\IntelprocZV\xoptiec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
PID 1040 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
PID 1040 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
PID 1040 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
PID 1040 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe C:\IntelprocZV\xoptiec.exe
PID 1040 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe C:\IntelprocZV\xoptiec.exe
PID 1040 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe C:\IntelprocZV\xoptiec.exe
PID 1040 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe C:\IntelprocZV\xoptiec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe

"C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"

C:\IntelprocZV\xoptiec.exe

C:\IntelprocZV\xoptiec.exe

Network

N/A

Files

C:\IntelprocZV\xoptiec.exe

MD5 afc6e9e67e2c0ee9bdafd320169bbd01
SHA1 b01ba196499b619a5aa566ae95cd8ea2bf43dc8f
SHA256 fef3c17437a21241fb0f6d93af4ad942ea3a5d3ddfd61eb0bc615a1413b6778d
SHA512 b259450e5bc0a5495ea304bdadd457b1a6803e79714310353eb0ec8221faf1a6c5635e5ff1c5348288a3beb1574bcb4deb6d8e304e15761e758345e0fc36f18f

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 9ce1a4e927e43fc3c509f486a2452889
SHA1 03f3e3d6789be4f027f092ea23f4bdd17384f11c
SHA256 589eb4cc2e39c411a415f619e54078791d405d1f8d73b35d3142c124f4856e2f
SHA512 a813f7f8a142383f0d826e89a0530c92028517691d961fa813c60e5338770ae323662fb6c48b9ba4e306ba16ff116b18ddf1478071c395ffbe2fca8ca972881d

C:\MintM7\bodxloc.exe

MD5 8915f75343ebf76f45889099de3a956f
SHA1 bc0a5ab8d1618503e4aff46d192831918e6f87da
SHA256 2fc11407081529204f54d3548c777dd9c2da7312a65e0772c0ebfb9f1ff6ad2f
SHA512 ebae7dd948948ce41b41f5c5849adee2d446b7ec8d100e1bcbd86eb0208b93e9523b6ac8d09ddd2f84b7a582fd5c1397837de4e9a7bbcd732d8796d0f3f68284

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

MD5 f41c106dde71e666e4443019bc70b2dc
SHA1 59ec15e42004025517a3f684e2dc4d444144182a
SHA256 7758eacd14586ad40943e8058f4b86f22d4843ce1a2898272793d9333061ff42
SHA512 8a933d4405197928a099c7db0b9cb09150a68f2b9b806a41f1b52b4e73ac4fac45513aaac9fc46d07acd8c5751f6ef9a802f6b660ecea636163ee13b53839037

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 f4ee47fbb0c12b0829c7a35d5029f774
SHA1 2dfdf0c2d8bb0160f62036399396eaceddc0b0ac
SHA256 ded3058e91cf40541546812be10e270bf63d8a17d965325ee226af95a181f47a
SHA512 58f98eb7861e0bfcb8d5b1e773608343cf62a32ba32d479d1f5323934a94c0850031ce9cd289b6363c99e684da5cb2d786df9f59d42a5f589f08616a99a47367

C:\MintM7\bodxloc.exe

MD5 d53aa90606c8163a2f41cc99b7e93921
SHA1 d1a6e6e8b4eae4b92603d53ffd37a0aa989c13b0
SHA256 f74c2d08bb2ff5f1b1e94d9af917490669f96d2eb2c5ccb8d7ca033771c35dcd
SHA512 661e9049504528f12d68d8085d38cb9159e13b5c7d1d84da07ea79535bc62d0f6f36a4c3d6a2613648d97f48307d83e98da5267212ddb556d942572c8a461519

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 20:11

Reported

2024-11-13 20:13

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotX1\\xoptiec.exe" C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBT\\optixec.exe" C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\UserDotX1\xoptiec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A
N/A N/A C:\UserDotX1\xoptiec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe

"C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"

C:\UserDotX1\xoptiec.exe

C:\UserDotX1\xoptiec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

MD5 a6c18a0429c022b001abe9a30e91d826
SHA1 496923baf87d7b33dd0b7f6bc3a7d11ea6d14545
SHA256 b6846b96bd3ad0fbde43c42c34cdb4363fd12a1a737c562d32824152179da0a9
SHA512 5dbfa438af4135bac12a6695c9e1cddbe5e4662fe576e4427e75308a0b2d3b1453c7938a076a5e021a7ecd50e0b2e62b1c171aebff6a936989bb7214f3d590e9

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 885a5960605a1d7053c6134191643cfb
SHA1 569a1be0eda07b3629683be036523a554b7a989d
SHA256 2fefd288cca9819f6a3f570af80b227b271bcfa50b298e08cf5110a2ca145a0d
SHA512 ed84d15674385bf798199422b3dd7e26c93f87806db9c3b379a64c4c224c84035eb921ab37a6f604d35e5e8acb3038d5c15660dcabeb90b80a720ad9861e69d3

C:\UserDotX1\xoptiec.exe

MD5 13913dda2d22ae3855967e28e905dd4e
SHA1 467910f29dcc8ad22f18f8edc6177e1926fa9b68
SHA256 5e913e0a886e3268f247c8f3ddebe7e074bdef466da488775a30eb8bdf233748
SHA512 3c1ba249d07fd8f30d6471d7e81e4fadb850b41bcddb38fe2984efc66c051fadb4b5734fa12d8e0af8f9b5d6b7bf85dca9c1ea76378fb6fe61d2baf86b5e9206

C:\LabZBT\optixec.exe

MD5 3e90888723ef6453ef311c2cca51961a
SHA1 934ffcab17d793714237465cd0c7aa54d61b40dc
SHA256 80c21d1bb45390d3aed6f889b99a12f8c56b791f1b4ec1fa35d0146076b88fab
SHA512 3c796cc66ec2fe1912c351fc67425497682a3eb39da585ca001bba14791933194d050cee9b80c407f83fc5c386bdc6508bc0dbb198ef16401dca3258ac229e2e

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 794e353a0ccf79f7a8e532fe7eebe60e
SHA1 260ba0cec60050a56c527c04c7c48e6f0c0fb315
SHA256 d089546a734f66ab113b0abc42e10f954775722a4b0046d045a812104ed2929d
SHA512 83c5a06a7117e409533d2e5eadf7d2823884fb34efb2433ced8e33971a4435d4e2af02a7878fe395ac3ec572ea98328bdb8999b61d376b08c530420d5b0c59b7

C:\LabZBT\optixec.exe

MD5 432c3b0fedc10012d22702bb73fd808a
SHA1 c31a75b9658ffd6eeda112176cf54bf4c654fbac
SHA256 d5cc060fe7c1019c0c3e627ac5166e0de80ae565c537e988cacabebda5a5c06d
SHA512 3175929d1fd3b28a809a049e7937f40fb2aec7046b3d08d8b2235b2926808adfce193d45d67654a08a71eb58b67deb4fd162bc76431c634db6e2ee5619da31a6