Malware Analysis Report

2024-12-08 02:45

Sample ID 240817-qw7exa1dpp
Target 2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia
SHA256 7ca465a4fa9eb508675533be84998373df84426d98debfda11ff68fcc33d1bd5
Tags
floxif backdoor discovery persistence trojan upx privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ca465a4fa9eb508675533be84998373df84426d98debfda11ff68fcc33d1bd5

Threat Level: Known bad

The file 2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia was found to be: Known bad.

Malicious Activity Summary

floxif backdoor discovery persistence trojan upx privilege_escalation

Floxif, Floodfix

Detects Floxif payload

Event Triggered Execution: AppInit DLLs

Drops file in Drivers directory

Modifies system executable filetype association

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

UPX packed file

Enumerates connected drives

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Opens file in notepad (likely ransom note)

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Uses Volume Shadow Copy WMI provider

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 13:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 13:37

Reported

2024-08-17 13:40

Platform

win7-20240729-en

Max time kernel

32s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = 30040000 C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\ = "Compatibility" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "@shell32.dll,-50944" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "Windows Batch File" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "@%SystemRoot%\\System32\\acppage.dll,-6002" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000 C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-8464" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\open C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-68" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-10156" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\ = "@shell32.dll,-50944" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\shell\open C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\print\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon\ = "%SystemRoot%\\System32\\shell32.dll,2" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\EditFlags = 00000000 C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\EditFlags = "0" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\EditFlags = 38070000 C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\ = "MS-DOS Application" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers\Compatibility C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\edit\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\EditFlags = 30000000 C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\.exe C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.bat\PersistentHandler\ C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\EditFlags = 00000000 C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "@shell32.dll,-50944" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000 C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.bat C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\open C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "Windows Batch File" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\ = "MS-DOS Application" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\shell\open C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runasuser\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\ = "@shell32.dll,-50944" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = 30040000 C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\edit\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\ = "Compatibility" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-10156" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "@%SystemRoot%\\System32\\acppage.dll,-6002" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.com C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\EditFlags = 30000000 C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\EditFlags = "0" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-68" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\print\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\DropHandler C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.exe\PersistentHandler C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe

C:\Windows\System32\Notepad.exe

Notepad.exe C:\Users\Admin\Desktop\Rkill.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 72.14.185.43:80 www.aieov.com tcp
US 72.14.185.43:80 www.aieov.com tcp
US 72.14.185.43:80 www.aieov.com tcp

Files

memory/1316-3-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe

MD5 0b768337711afaf41e40ba8f242c79cc
SHA1 10ae8a2b53a9853631375b307f4a6b572a61b391
SHA256 ebf4f6d4cd5eed24fe46f834c3b942e02a6e4c9ad3ba8fbaac61e4d0fd104e73
SHA512 3abdacf0f17bad81829247d4504e48504560623bca08c6ee188ba9dfda4789892ec0b8ea647eff1c28d6d7577b971db0113af4e161c25096d401d73ecaa230d0

C:\Users\Admin\Desktop\Rkill.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Desktop\Rkill.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1316-32-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1316-30-0x0000000000F10000-0x00000000010CE000-memory.dmp

memory/1316-36-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1316-42-0x0000000000F10000-0x00000000010CE000-memory.dmp

memory/1316-44-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\Desktop\Rkill.txt

MD5 2d9016210985d420fc6ef00da474df57
SHA1 b9f47f21f8714cf2cfe01985dc663f6232aa0ab5
SHA256 1eabd5f050b3274d652da0c76e10d145ff92443e20339c1443669c27913d73b7
SHA512 9c37f7cfb16c6d1a896120e0cd196180700d5753a8ffa4d0adde5b9eba119eee239ba66c691bf776bbf1c5a9e72633fe0f2e019d217a5e2a634371d23fc8e3a5

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 13:37

Reported

2024-08-17 13:40

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia.exe

C:\Windows\System32\Notepad.exe

Notepad.exe C:\Users\Admin\Desktop\Rkill.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.18.44:80 www.aieov.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 44.18.33.45.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.18.44:80 www.aieov.com tcp
US 45.33.18.44:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.18.44:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 45.33.18.44:80 www.aieov.com tcp
US 45.33.18.44:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/1752-3-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1752-5-0x00000000008F1000-0x00000000008F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-08-17_e5d2dcb1faba5099a160d9b7fab49223_floxif_mafia64.exe

MD5 0b768337711afaf41e40ba8f242c79cc
SHA1 10ae8a2b53a9853631375b307f4a6b572a61b391
SHA256 ebf4f6d4cd5eed24fe46f834c3b942e02a6e4c9ad3ba8fbaac61e4d0fd104e73
SHA512 3abdacf0f17bad81829247d4504e48504560623bca08c6ee188ba9dfda4789892ec0b8ea647eff1c28d6d7577b971db0113af4e161c25096d401d73ecaa230d0

C:\Users\Admin\Desktop\Rkill.txt

MD5 bea2ed6c3dedfcfef0be2e715640ed84
SHA1 12c934f0d147a4000ba04de0b39edb29e32ed57a
SHA256 e7ba12ec724acc169f9b8d81f46d901506dae46ab21d5cbe3e9a671dd90d910a
SHA512 619be4c33846cee58c2085f8b062e9e9ef8685411e1fbf52907472de65d9439274f8a879d64f57079ea81b330060117d2151587cce2ce32e87bf2eaaa6f473ad

memory/1752-20-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1752-21-0x00000000008F0000-0x0000000000AAE000-memory.dmp

memory/1752-23-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1752-27-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/1752-33-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1752-37-0x00000000008F0000-0x0000000000AAE000-memory.dmp

memory/1752-39-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\Desktop\Rkill.txt

MD5 6733693fb1f7813f92ed55f03d9e7748
SHA1 dd19d4a4541907ed03a9e2387f76508a7360327c
SHA256 ac723303bbb27e8e7e8038263119e853a3b8026fa22a0dd434cb69baf12293b3
SHA512 bf6acd4b39112b714e7caaeb003d55bbc37272b55a0eee81f170e10e7d9086ee24b38a0bb2f91164af7865b3866b579b8ca7cc78e7d1b89097d6545a4a1540f7