File name:

1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a

Full analysis: https://app.any.run/tasks/b6b61c50-7301-48c7-8542-ff70fe1d9c2d
Verdict: Malicious activity
Analysis date: January 10, 2025, 20:18:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
sysbot
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

7DEB05D275BEAF317E36F20B9BBB7368

SHA1:

02D19472D3201A4F6C77FE21077AE6AD4C1A98F7

SHA256:

1261CED64E4EBDA3C96CB8BA564DEEAFCBC228142A41963EDF73442B8DB0197A

SSDEEP:

1536:+PDfdFIBZjUrecSsbSExkhap3/p+YZRZnqjThPpecwsoR:+LfdFIBZjUrxSsbSnap/IMZqjTr5ws8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Security Center notification settings

      • opxixag.exe (PID: 556)

    • Changes the Windows auto-update feature

      • opxixag.exe (PID: 556)

    • SYSBOT mutex has been found

      • 1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exe (PID: 1380)
      • opxixag.exe (PID: 556)

    • XORed URL has been found (YARA)

      • opxixag.exe (PID: 556)
      • opxixag.exe (PID: 5316)

    • Changes the autorun value in the registry

      • opxixag.exe (PID: 556)

  • SUSPICIOUS

    • Starts itself from another location

      • 1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exe (PID: 1380)

    • Executable content was dropped or overwritten

      • 1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exe (PID: 1380)
      • opxixag.exe (PID: 556)

    • Application launched itself

      • opxixag.exe (PID: 556)

    • Reads security settings of Internet Explorer

      • opxixag.exe (PID: 556)

  • INFO

    • Creates files or folders in the user directory

      • 1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exe (PID: 1380)
      • opxixag.exe (PID: 556)

    • Failed to create an executable file in Windows directory

      • 1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exe (PID: 1380)
      • opxixag.exe (PID: 556)

    • Checks supported languages

      • opxixag.exe (PID: 5316)
      • opxixag.exe (PID: 556)
      • 1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exe (PID: 1380)

    • Reads the computer name

      • opxixag.exe (PID: 556)

    • Checks proxy server information

      • opxixag.exe (PID: 556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:08:21 11:08:50+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.56
CodeSize: 22528
InitializedDataSize: 44544
UninitializedDataSize: 1024
EntryPoint: 0x3a19
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SYSBOT 1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exe #XOR-URL opxixag.exe #XOR-URL opxixag.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1380"C:\Users\admin\Desktop\1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exe" C:\Users\admin\Desktop\1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
556"C:\Users\admin\AppData\Roaming\opxixag.exe"C:\Users\admin\AppData\Roaming\opxixag.exe
1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\opxixag.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5316--k33pC:\Users\admin\AppData\Roaming\opxixag.exe
opxixag.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\opxixag.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
733
Read events
574
Write events
159
Delete events
0

Modification events

(PID) Process:(1380) 1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy
Operation:writeName:Extended Flags
Value:
C3E48514D05896F0BEC40A8C
(PID) Process:(556) opxixag.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678
Value:
a
(PID) Process:(556) opxixag.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:opxixag.exe
Value:
C:\Users\admin\AppData\Roaming\opxixag.exe
(PID) Process:(556) opxixag.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoUpdate
Value:
25600
(PID) Process:(556) opxixag.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusOverride
Value:
25600
(PID) Process:(556) opxixag.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusDisableNotify
Value:
25600
(PID) Process:(556) opxixag.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallDisableNotify
Value:
25600
(PID) Process:(556) opxixag.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UpdatesDisableNotify
Value:
25600
(PID) Process:(556) opxixag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy
Operation:writeName:Default Flags
Value:
E15CB3E79C63DB01F4D8AB33000000003200
Executable files
3
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
556opxixag.exeC:\Users\admin\AppData\Roaming\agbumoax-ocooc.dllexecutable
MD5:F37B21C00FD81BD93C89CE741A88F183
SHA256:76CF016FD77CB5A06C6ED4674DDC2345E8390C010CF344491A6E742BAF2C0FB0
556opxixag.exeC:\Users\admin\AppData\Roaming\eakdapoat-urac.dllexecutable
MD5:EB9474598B42C55CC62D098B8C5D8B7E
SHA256:7CD473A4B131E8BEB8F9BAAE5876D47A74D7DFE0AD76B5F189DDE8FBE0285E91
556opxixag.exeC:\Users\admin\AppData\Roaming\tmp741A.tmpbinary
MD5:22C5E13C176D5C5915F5F4180F1DD915
SHA256:6DCF2A9F914CA0A5FAFEB32E277ED959093459DFB7124AFEB1011C64832639E5
13801261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a.exeC:\Users\admin\AppData\Roaming\opxixag.exeexecutable
MD5:7DEB05D275BEAF317E36F20B9BBB7368
SHA256:1261CED64E4EBDA3C96CB8BA564DEEAFCBC228142A41963EDF73442B8DB0197A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.130
  • 104.126.37.128
  • 104.126.37.153
  • 104.126.37.123
  • 104.126.37.129
  • 104.126.37.137
  • 104.126.37.162
  • 104.126.37.145
  • 104.126.37.155
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.147
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.162
  • 23.48.23.145
  • 23.48.23.173
  • 23.48.23.177
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
xptsu.nu
unknown
self.events.data.microsoft.com
  • 52.168.117.174
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1261ced64e4ebda3c96cb8ba564deeafcbc228142a41963edf73442b8db0197a