Malware Analysis Report

2024-12-08 02:43

Sample ID 240818-anw17sxgrk
Target 2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid
SHA256 44805dd2c1dc1ebf96fbc861237d40b3fe4b744793c2a753de7713ab33cc7095
Tags
floxif backdoor discovery persistence privilege_escalation trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44805dd2c1dc1ebf96fbc861237d40b3fe4b744793c2a753de7713ab33cc7095

Threat Level: Known bad

The file 2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid was found to be: Known bad.

Malicious Activity Summary

floxif backdoor discovery persistence privilege_escalation trojan upx

Floxif, Floodfix

Detects Floxif payload

Event Triggered Execution: AppInit DLLs

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 00:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 00:22

Reported

2024-08-18 00:24

Platform

win7-20240705-en

Max time kernel

144s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe N/A
File created \??\c:\progra~1\common~1\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe"

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 198.58.118.167:80 www.aieov.com tcp
US 198.58.118.167:80 www.aieov.com tcp
US 198.58.118.167:80 www.aieov.com tcp
US 198.58.118.167:80 www.aieov.com tcp
US 198.58.118.167:80 www.aieov.com tcp
US 198.58.118.167:80 www.aieov.com tcp
US 198.58.118.167:80 www.aieov.com tcp
US 198.58.118.167:80 www.aieov.com tcp
US 198.58.118.167:80 www.aieov.com tcp
US 198.58.118.167:80 www.aieov.com tcp
US 198.58.118.167:80 www.aieov.com tcp
US 198.58.118.167:80 www.aieov.com tcp

Files

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2648-3-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\wireless.ico

MD5 0d8c648b2ae8e91a56d5fd2729752b64
SHA1 77e6e232e02c096ed77b124203f7d54add34c162
SHA256 c2490a6c037b049b5014a41a44ba29b84ccadf5f5561096cef58cd458dcc4e71
SHA512 82a603fa336ab456dc6dbcd33b73bb1db5c47011b2f38133273317453b23801aa173ec3b7e8525d626db017be9e2c02ab77b8b6bb773f0a1afad5a37dd62fbb3

\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

MD5 2b92ed6cd3ea3e553cad8e37108c32d6
SHA1 a4993336b04ba7cc081656d51a56440391b982a6
SHA256 93d789afa9560aeae6933d540ff9ce3f1352ad03be72863cd28853e3896c0cf2
SHA512 6067d7033342fc0f83c1b260d3b0e33b474e852e0a450b243654c22c8656556217fdb5f8156852bf7b057193347f4c517a77a2410759dd8e92ff1bf5d1363ea9

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

MD5 c9e58d1d66271921c21366023b8ed94f
SHA1 5d7591ef49f0f1b6bbfa40ed6ec00c1e70deda61
SHA256 841732bb7e629d67e99505722200645771b7cb61c266c15356f0babdadac40c8
SHA512 21710a057931007bb92441445f2b99012b1ac2da873a4391b088e28fa8dcd8951474a257ccd50ae596ad57a16e1078808986b0b2290bd42943cc38e4d0e45f94

memory/3020-87-0x0000000000AF0000-0x0000000000B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

MD5 ac2e0fa78ac6bf392e719cd1437e11a3
SHA1 26a2f5e097f614be11dbd1e7778896d61b56e481
SHA256 5c475e5c8cfec69d87b4a9de9def87196d1b4ccb85b7d6883785d692ef5630a6
SHA512 bf70c3c29c889168371506ebd27c7d7f9711059acf2c8f7a3472f96d5ca3dbaede45cb46700b1d6bb0ae370d71bf181fa14e400e2fd12acac12bd1bcdf5e019b

\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll.tmp

MD5 76a2ebe97bc6e9945fffd7e5e5c96ea8
SHA1 8cd8b35d0a2f57356e3a9937e53bb6ef011923c7
SHA256 9cade50890a7d1d8a7d83bd091181fd60ec6d9a8094cd869da1a5c5c5646f83d
SHA512 604dd0509fad3c0f0c7ba5d232d8e0f18ef60dde3070afe81c43aea74f3343e6ff59bfdf7485ef9f87f171c76545dc7481fd03749413c44b6421aeb916cf6f5f

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\Clipboard\Clipboard.lmd

MD5 35680673837110844c72bf6ed8eb6202
SHA1 3c9c1276ed0bbfa48e478a55e06a5e5cf826f437
SHA256 ed696486a267df27c3d16e1c360ab0221f6dda9c76e70fce0ca4b74bdd22da6b
SHA512 2fb9b08381fdc9a8f2c6e6881ddd0ed455e4117e219fd42bcecdf210d6e4410791dc6c0d025d7fd231e658fdc04bb0967df7c501703ebbd7316684c231ec73a4

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\LuaCom\LuaCom.lmd

MD5 971c53498e8a3a259e286bd9eb38c9cb
SHA1 f441af38aba15e3f748c713085cfb3642f75cf3d
SHA256 d792f81a83ed91996249b991837b12f1e748f7db183b2702eadf1fc22b09291e
SHA512 a4ca728bd93c601e9262e5ff4bf82868dff23433d1f162cbfbbae5b2eeea5cafaf5322c1cfbfbd399ad76db0608323968b928ae6bfe04045429407cc4c79002e

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\SmtpT\SmtpT.lmd

MD5 eb5247a3bd8f16f1172a4c57d0dbefbc
SHA1 ab503e3a628199b6cac38f8ada0cb05bbe0ca576
SHA256 139852d6443219df46e416f8e01c56c8c27cacd295a7d88340d69dca9d5144a2
SHA512 4c99269338f602547b1a26465e8026f4acce679947057acc1f633af510c2fac01d45bc299dc41e9a392c28241460c39b0f96c2fb800ddbc983690552733f61bd

memory/3020-97-0x0000000005520000-0x0000000005556000-memory.dmp

memory/3020-101-0x0000000004960000-0x000000000497F000-memory.dmp

memory/3020-104-0x0000000004960000-0x000000000497F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\WinApi\WinApi.lmd

MD5 0194f4b3ea555e5a2ec2c5aa38c3f47a
SHA1 5ca6ed374bfbea1a60dae6e5e5583561b10f9a09
SHA256 f1166c24279cd83a4bdf7bfe4906113b31db005608dcf688f62b53467807e65d
SHA512 0b0e15b92e61fa5b91cdd74a49ce8aa80f3ce29e2df4bacba51cd41191f9904291ab41ec3be33057c92e8f254716c914d2b28f8b0e8fabe60a32bae34e9bb709

memory/3020-106-0x00000000057E0000-0x00000000058C4000-memory.dmp

memory/3020-102-0x000000000497C000-0x000000000497E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\1.jpg

MD5 baf82861ec59b7360e28373ec0ac0db1
SHA1 13e5ca637317b4b5d808cbd5421a50886f537187
SHA256 9dbb42ca1a30dd268e55f9ebcaedcfc1ae6ef05d8a1bc2d2fb746516255fa8a8
SHA512 a8d1a3a6ae542f07e3ad5b71214a814b7b119727e52019f570c39d9df7a39d9e3ef7c131f7ca6a79a87cb6d5f19409a619b12a5d4547054d73b3c9eb7be637c1

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\62.btn

MD5 6dbe822220b78100f4dbb2baea10ab2e
SHA1 77322f9e0ed57194afbf2bab837ed6b918776b40
SHA256 ebc1555fec68efaf19130ea7058bcb10809358087f0b92c01cc2f92e9eed5623
SHA512 e80489b552b63d18d25178de7e9b87a623272e79e353726747764a2a4bfa820416c575b3bb1956cead5ae6cca27d35e9a7e73537e66d41067e3f124d0cd94eec

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\network_wireless.png

MD5 64e6018e449e922c3282528ce6e5f43b
SHA1 e366b8e8ccbabc69c588bdf9158b033b3c757c7b
SHA256 98572a66a400b63c02241ab5da2accb60e9084ef2ef85afab780566cb212a7ca
SHA512 8471d6d6e504651e1dde1768a178cb2c2309c83964d44551c1fa8245dc3dcf6bad60f41a68df78b34e1de3e1df45db485bcdef71abd2475e8e3ab37a17638662

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\64.btn

MD5 7c5184059c0073fed8e687e5e33c41b1
SHA1 444412703faab0846eae275eb6c7fb910a66b638
SHA256 0c603c5c34d805247c3e0de7b916e87ae7e51a0b64450226068985c5e33a58e5
SHA512 dc3e4952d871ed565588bece0fab6fa0c11ae55a3612aa0fcc9b885fdbcf2545202813ec1ce5c51ab47a937a21c2eeb6e013d7d5f3cf29d9e3f63a65dfebf54d

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\61.btn

MD5 484cc4f54d2c8577108b497490bf5a62
SHA1 86867a6cfdb381a46f3bbe0ec3ae7b1efbaa6dfa
SHA256 05d668f1d5942d8c21399176659819783dd800218686fd328ad2c2a10d7604e0
SHA512 d9b159f8be5bc9b7fae42643720430e15d90898072e1a068ebc2614664461cc0adf997192a56b59423fad729df42336bfcc993df029ec429f00bca707553ce60

\??\c:\progra~1\common~1\system\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/2648-115-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3020-116-0x0000000000AF0000-0x0000000000B20000-memory.dmp

memory/3020-118-0x000000000497C000-0x000000000497E000-memory.dmp

memory/3020-119-0x0000000004960000-0x000000000497F000-memory.dmp

memory/2648-117-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3020-121-0x0000000000AF0000-0x0000000000B20000-memory.dmp

memory/3020-120-0x0000000010000000-0x0000000010053000-memory.dmp

memory/2648-123-0x0000000076306000-0x0000000076307000-memory.dmp

memory/2648-126-0x0000000076300000-0x0000000076335000-memory.dmp

memory/2648-127-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3020-128-0x0000000010000000-0x0000000010053000-memory.dmp

memory/2648-131-0x0000000076300000-0x0000000076335000-memory.dmp

memory/2648-134-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2648-140-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2648-146-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2648-152-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3020-155-0x0000000004960000-0x000000000497F000-memory.dmp

memory/3020-157-0x0000000010000000-0x0000000010053000-memory.dmp

memory/3020-165-0x0000000010000000-0x0000000010053000-memory.dmp

memory/3020-177-0x0000000010000000-0x0000000010053000-memory.dmp

memory/3020-185-0x0000000010000000-0x0000000010053000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 00:22

Reported

2024-08-18 00:24

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe"

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4b0 0x408

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.20.235:80 www.aieov.com tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 235.20.33.45.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.20.235:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 45.33.20.235:80 www.aieov.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.20.235:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 45.33.20.235:80 www.aieov.com tcp
US 45.33.20.235:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 5isohu.com udp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2716-4-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\wireless.ico

MD5 0d8c648b2ae8e91a56d5fd2729752b64
SHA1 77e6e232e02c096ed77b124203f7d54add34c162
SHA256 c2490a6c037b049b5014a41a44ba29b84ccadf5f5561096cef58cd458dcc4e71
SHA512 82a603fa336ab456dc6dbcd33b73bb1db5c47011b2f38133273317453b23801aa173ec3b7e8525d626db017be9e2c02ab77b8b6bb773f0a1afad5a37dd62fbb3

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

MD5 2b92ed6cd3ea3e553cad8e37108c32d6
SHA1 a4993336b04ba7cc081656d51a56440391b982a6
SHA256 93d789afa9560aeae6933d540ff9ce3f1352ad03be72863cd28853e3896c0cf2
SHA512 6067d7033342fc0f83c1b260d3b0e33b474e852e0a450b243654c22c8656556217fdb5f8156852bf7b057193347f4c517a77a2410759dd8e92ff1bf5d1363ea9

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

MD5 c9e58d1d66271921c21366023b8ed94f
SHA1 5d7591ef49f0f1b6bbfa40ed6ec00c1e70deda61
SHA256 841732bb7e629d67e99505722200645771b7cb61c266c15356f0babdadac40c8
SHA512 21710a057931007bb92441445f2b99012b1ac2da873a4391b088e28fa8dcd8951474a257ccd50ae596ad57a16e1078808986b0b2290bd42943cc38e4d0e45f94

memory/4884-84-0x0000000010000000-0x0000000010030000-memory.dmp

memory/4884-88-0x00000000029B0000-0x0000000002A03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

MD5 ac2e0fa78ac6bf392e719cd1437e11a3
SHA1 26a2f5e097f614be11dbd1e7778896d61b56e481
SHA256 5c475e5c8cfec69d87b4a9de9def87196d1b4ccb85b7d6883785d692ef5630a6
SHA512 bf70c3c29c889168371506ebd27c7d7f9711059acf2c8f7a3472f96d5ca3dbaede45cb46700b1d6bb0ae370d71bf181fa14e400e2fd12acac12bd1bcdf5e019b

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll.tmp

MD5 c3fcf26e31c73f71d93c8c5c495d10d3
SHA1 3bf5d507d49b0c29fad77d15087a0ac764a1cc9a
SHA256 addebcada7f45f9574e392f3276a0d4a00426edba87d7cd21140e4ee320ee382
SHA512 e259c1bcc108b036dbcced650c55f374bcfc5044d7d52266b54491ef7c5e75f6ec27aaf35d91768202c602bf0aa9e2ef45da4c8ae3dcd9d102ed08607df865b5

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\Clipboard\Clipboard.lmd

MD5 35680673837110844c72bf6ed8eb6202
SHA1 3c9c1276ed0bbfa48e478a55e06a5e5cf826f437
SHA256 ed696486a267df27c3d16e1c360ab0221f6dda9c76e70fce0ca4b74bdd22da6b
SHA512 2fb9b08381fdc9a8f2c6e6881ddd0ed455e4117e219fd42bcecdf210d6e4410791dc6c0d025d7fd231e658fdc04bb0967df7c501703ebbd7316684c231ec73a4

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\LuaCom\LuaCom.lmd

MD5 971c53498e8a3a259e286bd9eb38c9cb
SHA1 f441af38aba15e3f748c713085cfb3642f75cf3d
SHA256 d792f81a83ed91996249b991837b12f1e748f7db183b2702eadf1fc22b09291e
SHA512 a4ca728bd93c601e9262e5ff4bf82868dff23433d1f162cbfbbae5b2eeea5cafaf5322c1cfbfbd399ad76db0608323968b928ae6bfe04045429407cc4c79002e

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\SmtpT\SmtpT.lmd

MD5 eb5247a3bd8f16f1172a4c57d0dbefbc
SHA1 ab503e3a628199b6cac38f8ada0cb05bbe0ca576
SHA256 139852d6443219df46e416f8e01c56c8c27cacd295a7d88340d69dca9d5144a2
SHA512 4c99269338f602547b1a26465e8026f4acce679947057acc1f633af510c2fac01d45bc299dc41e9a392c28241460c39b0f96c2fb800ddbc983690552733f61bd

memory/4884-108-0x00000000046A0000-0x00000000046BF000-memory.dmp

memory/4884-114-0x0000000004770000-0x0000000004854000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\WinApi\WinApi.lmd

MD5 0194f4b3ea555e5a2ec2c5aa38c3f47a
SHA1 5ca6ed374bfbea1a60dae6e5e5583561b10f9a09
SHA256 f1166c24279cd83a4bdf7bfe4906113b31db005608dcf688f62b53467807e65d
SHA512 0b0e15b92e61fa5b91cdd74a49ce8aa80f3ce29e2df4bacba51cd41191f9904291ab41ec3be33057c92e8f254716c914d2b28f8b0e8fabe60a32bae34e9bb709

memory/4884-111-0x00000000046A0000-0x00000000046BF000-memory.dmp

memory/4884-110-0x00000000046BC000-0x00000000046BE000-memory.dmp

memory/4884-103-0x0000000004660000-0x0000000004696000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\1.jpg

MD5 baf82861ec59b7360e28373ec0ac0db1
SHA1 13e5ca637317b4b5d808cbd5421a50886f537187
SHA256 9dbb42ca1a30dd268e55f9ebcaedcfc1ae6ef05d8a1bc2d2fb746516255fa8a8
SHA512 a8d1a3a6ae542f07e3ad5b71214a814b7b119727e52019f570c39d9df7a39d9e3ef7c131f7ca6a79a87cb6d5f19409a619b12a5d4547054d73b3c9eb7be637c1

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\61.btn

MD5 484cc4f54d2c8577108b497490bf5a62
SHA1 86867a6cfdb381a46f3bbe0ec3ae7b1efbaa6dfa
SHA256 05d668f1d5942d8c21399176659819783dd800218686fd328ad2c2a10d7604e0
SHA512 d9b159f8be5bc9b7fae42643720430e15d90898072e1a068ebc2614664461cc0adf997192a56b59423fad729df42336bfcc993df029ec429f00bca707553ce60

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\62.btn

MD5 6dbe822220b78100f4dbb2baea10ab2e
SHA1 77322f9e0ed57194afbf2bab837ed6b918776b40
SHA256 ebc1555fec68efaf19130ea7058bcb10809358087f0b92c01cc2f92e9eed5623
SHA512 e80489b552b63d18d25178de7e9b87a623272e79e353726747764a2a4bfa820416c575b3bb1956cead5ae6cca27d35e9a7e73537e66d41067e3f124d0cd94eec

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\64.btn

MD5 7c5184059c0073fed8e687e5e33c41b1
SHA1 444412703faab0846eae275eb6c7fb910a66b638
SHA256 0c603c5c34d805247c3e0de7b916e87ae7e51a0b64450226068985c5e33a58e5
SHA512 dc3e4952d871ed565588bece0fab6fa0c11ae55a3612aa0fcc9b885fdbcf2545202813ec1ce5c51ab47a937a21c2eeb6e013d7d5f3cf29d9e3f63a65dfebf54d

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\network_wireless.png

MD5 64e6018e449e922c3282528ce6e5f43b
SHA1 e366b8e8ccbabc69c588bdf9158b033b3c757c7b
SHA256 98572a66a400b63c02241ab5da2accb60e9084ef2ef85afab780566cb212a7ca
SHA512 8471d6d6e504651e1dde1768a178cb2c2309c83964d44551c1fa8245dc3dcf6bad60f41a68df78b34e1de3e1df45db485bcdef71abd2475e8e3ab37a17638662

memory/2716-122-0x0000000076BE5000-0x0000000076BE6000-memory.dmp

memory/2716-123-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2716-125-0x0000000076BD0000-0x0000000076C33000-memory.dmp

memory/4884-124-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2716-129-0x0000000076BD0000-0x0000000076C33000-memory.dmp

memory/4884-128-0x00000000046A0000-0x00000000046BF000-memory.dmp

memory/2716-130-0x0000000010000000-0x0000000010030000-memory.dmp

memory/4884-131-0x0000000010000000-0x0000000010030000-memory.dmp

memory/4884-132-0x00000000029B0000-0x0000000002A03000-memory.dmp

memory/2716-135-0x0000000076BD0000-0x0000000076C33000-memory.dmp

memory/2716-134-0x0000000076BE5000-0x0000000076BE6000-memory.dmp

memory/2716-138-0x0000000076BD0000-0x0000000076C33000-memory.dmp

memory/2716-141-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/2716-149-0x0000000076BD0000-0x0000000076C33000-memory.dmp

memory/2716-150-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2716-174-0x0000000010000000-0x0000000010030000-memory.dmp