Malware Analysis Report

2024-12-08 02:51

Sample ID 240818-hm2jastgpn
Target 4079c4a296b564b3fa3dcc4e1cfd6680N.exe
SHA256 1ffbe323071763ac2ecfac6abc9326badda79f2dd68afefc11712ef3f80fa80f
Tags
floxif backdoor discovery evasion persistence privilege_escalation trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ffbe323071763ac2ecfac6abc9326badda79f2dd68afefc11712ef3f80fa80f

Threat Level: Known bad

The file 4079c4a296b564b3fa3dcc4e1cfd6680N.exe was found to be: Known bad.

Malicious Activity Summary

floxif backdoor discovery evasion persistence privilege_escalation trojan upx

Floxif, Floodfix

Modifies visiblity of hidden/system files in Explorer

Detects Floxif payload

Event Triggered Execution: AppInit DLLs

Executes dropped EXE

Loads dropped DLL

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 06:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 06:52

Reported

2024-08-18 06:54

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\resources\themes\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\resources\spoolsv.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\resources\svchost.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\resources\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe \??\c:\users\admin\appdata\local\temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 
PID 3244 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe \??\c:\users\admin\appdata\local\temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 
PID 3244 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 3244 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 3244 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2376 wrote to memory of 3456 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2376 wrote to memory of 3456 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2376 wrote to memory of 3456 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 3456 wrote to memory of 2776 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3456 wrote to memory of 2776 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3456 wrote to memory of 2776 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2776 wrote to memory of 1400 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2776 wrote to memory of 1400 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2776 wrote to memory of 1400 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1400 wrote to memory of 700 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1400 wrote to memory of 700 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1400 wrote to memory of 700 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe

"C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe"

\??\c:\users\admin\appdata\local\temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 

c:\users\admin\appdata\local\temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4076,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.18.44:80 www.aieov.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 44.18.33.45.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 45.33.18.44:80 www.aieov.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3244-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/3244-5-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 

MD5 bcc77bbcfd32b316fbbdcec25778e091
SHA1 45a72369c6262a41f096cfddc6fc91bd0ed45e75
SHA256 e1815c4016baefba3629533fc118324da1d081578fb39a50474b7eb727d0877c
SHA512 b28f472bf4519ee163c2c6fffd8aa265ccd5c07de912bdff12f8049f94a572f514e56aadb4287e93c1af6c42072b47a0a82650c2564b3fcf7cf74ff061c63cad

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 79eb8391dacb6581a1330841571a9380
SHA1 6c176ae0392b0f14808260edd80621eda2a36e23
SHA256 7c2794d8eb8287889d0790ab19a240f36db8376f23a26dfca5c864a15f05a2cc
SHA512 595e8ce2ab11d2053ce1110fd1ffcc3adf64b730580f48c225328240af4ed44bc2c5019652604037b19a59a370cf79e847cdf3f96d5851a6a2884a9470beac2c

memory/2376-21-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2376-24-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 d3d83ff6edc5b04ca24c2c2b0ba5fe0a
SHA1 acfcd4296f64ddcfc8671ff4546ce27015e81c4a
SHA256 2273006c044d0fe1cd1807e861b57fbe4c4e80faf3166d5cd4c3dfba5e57d433
SHA512 19bf8175e123ef0b5d1628df6dfc1695c58713f8c36a9b1a43bfd49829be65dc52c1ddc176a1f7ebcfd51f903e3c857b5081145c1072fca0c8855c0e8da4743c

memory/3456-34-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 28e82a9ac38d1f0b944287e077f1b08e
SHA1 1c20f381e45e823cb3f9abe28996c24e42ab424f
SHA256 5975d792bec85c4740861814a07010d3f234343ceefbc2698ef9db4380fa3a6b
SHA512 817dd14793a4c45fe3f5818b2871414a522ac3297ea12559fb56c91618082e18e6e41fa5c5e971854105e325a14b5857307f61a201aaf2fbca371af07c4db7df

memory/2776-47-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2776-46-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1400-57-0x0000000010000000-0x0000000010030000-memory.dmp

\??\c:\windows\resources\svchost.exe

MD5 1cd465fcc2669cddf374f0c457433fc5
SHA1 1aa6d88e11162b5c5436a13b0949b42ac1722018
SHA256 db20f2860086319b1b529c8fef91274ef430983769db01b53d7c0f03817d4f52
SHA512 ad68c035f286635acdc3774389358e18c31b1b49ee566d7e3ee4fdcc21798b94613c8ad0320170781bc6d3f96006bf1d05afc95a2514a9ac367af2e657c583d9

memory/3244-60-0x0000000010000000-0x0000000010030000-memory.dmp

memory/700-64-0x0000000010000000-0x0000000010030000-memory.dmp

memory/700-66-0x0000000010000000-0x0000000010030000-memory.dmp

memory/700-67-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2776-70-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2776-69-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2376-72-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2376-75-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2376-74-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3244-78-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3244-77-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3456-79-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1400-80-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3456-81-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3456-93-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3456-95-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1400-96-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 06:52

Reported

2024-08-18 06:54

Platform

win7-20240704-en

Max time kernel

120s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\progra~1\common~1\system\symsrv.dll.000 \??\c:\windows\resources\themes\explorer.exe N/A
File created \??\c:\progra~1\common~1\system\symsrv.dll.000 \??\c:\windows\resources\svchost.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\resources\themes\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\resources\spoolsv.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\resources\svchost.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\resources\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\schtasks.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\resources\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe \??\c:\users\admin\appdata\local\temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 
PID 2872 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe \??\c:\users\admin\appdata\local\temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 
PID 2872 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe \??\c:\users\admin\appdata\local\temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 
PID 2872 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe \??\c:\users\admin\appdata\local\temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 
PID 2872 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2872 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2872 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2872 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2736 wrote to memory of 2524 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2736 wrote to memory of 2524 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2736 wrote to memory of 2524 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2736 wrote to memory of 2524 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2524 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2524 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2524 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2524 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2600 wrote to memory of 2960 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2600 wrote to memory of 2960 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2600 wrote to memory of 2960 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2600 wrote to memory of 2960 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2960 wrote to memory of 1648 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2960 wrote to memory of 1648 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2960 wrote to memory of 1648 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2960 wrote to memory of 1648 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2524 wrote to memory of 1500 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2524 wrote to memory of 1500 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2524 wrote to memory of 1500 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2524 wrote to memory of 1500 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2960 wrote to memory of 2836 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2836 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2836 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2836 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2524 wrote to memory of 1664 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2524 wrote to memory of 1664 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2524 wrote to memory of 1664 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2524 wrote to memory of 1664 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1664 wrote to memory of 1360 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1664 wrote to memory of 1360 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1664 wrote to memory of 1360 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1664 wrote to memory of 1360 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2960 wrote to memory of 1964 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 1964 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 1964 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 1964 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe

"C:\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680N.exe"

\??\c:\users\admin\appdata\local\temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 

c:\users\admin\appdata\local\temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:54 /f

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:55 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp

Files

memory/2872-0-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2872-4-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

\Users\Admin\AppData\Local\Temp\4079c4a296b564b3fa3dcc4e1cfd6680n.exe 

MD5 bcc77bbcfd32b316fbbdcec25778e091
SHA1 45a72369c6262a41f096cfddc6fc91bd0ed45e75
SHA256 e1815c4016baefba3629533fc118324da1d081578fb39a50474b7eb727d0877c
SHA512 b28f472bf4519ee163c2c6fffd8aa265ccd5c07de912bdff12f8049f94a572f514e56aadb4287e93c1af6c42072b47a0a82650c2564b3fcf7cf74ff061c63cad

memory/2872-25-0x00000000023E0000-0x00000000023FF000-memory.dmp

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 79eb8391dacb6581a1330841571a9380
SHA1 6c176ae0392b0f14808260edd80621eda2a36e23
SHA256 7c2794d8eb8287889d0790ab19a240f36db8376f23a26dfca5c864a15f05a2cc
SHA512 595e8ce2ab11d2053ce1110fd1ffcc3adf64b730580f48c225328240af4ed44bc2c5019652604037b19a59a370cf79e847cdf3f96d5851a6a2884a9470beac2c

memory/2736-30-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2736-35-0x00000000752E3000-0x00000000752E4000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 057aacb4ebfd5762676941a3c58de424
SHA1 7d03426e3d18931a4751b6b367958df7893bc45c
SHA256 78dc41e5cafaa0d9fb796c49e0e798963697a4e44d137b735895e66fe0d7c9d7
SHA512 511e872f4426a2ba30d6f9215be22351fe6096725476225c98cf069e429200ec61cfc455c37db45c262e0107498cf35475aee0650cc9499b01584c6eda5a9f7a

memory/2524-43-0x0000000010000000-0x0000000010030000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 4d40ed4a20dfe72dc7330f4ab39551cc
SHA1 08212ee82469285a3119753f4c52033da1623eff
SHA256 13fc968e3f4d1135efdfde0db72df2392735bc07590f00448d0dce9f54671787
SHA512 946ae6c2f300b66c17ed438a7b7998b2bed071a1b29300555de7493bd5754da1f9917b33d9548bfdb3074a239f17d4371466c3511476d31b4fe8e0f9e94f5106

memory/2872-55-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2600-56-0x0000000010000000-0x0000000010030000-memory.dmp

\Windows\Resources\svchost.exe

MD5 f9a25e707bad0a292792fa63c59c19bd
SHA1 565d9f6160c9d3df72887cb446221cdd8f9d491e
SHA256 58d07c89ba7caf754b2e8338d1672160a15e5037fd8f03ad2251909b99d83044
SHA512 b0d03ee76a6ff354ba195b422cbfe8a4770a0308feac11d17b70ccf2fb5522f96a003d30df8db240f0481d26b9f78a024b183416a880b0439339d043607c63f8

memory/2736-68-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2960-71-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2960-75-0x0000000000300000-0x000000000031F000-memory.dmp

memory/1648-78-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1648-84-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1648-83-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2600-86-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2600-87-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2736-89-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2736-88-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2872-92-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2872-91-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2524-95-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A1D26E2\4F39868B38.tmp

MD5 58c7072a2d72677dc91e19d743a8ddd6
SHA1 d4371f8388067cde9b04bfa4712134ce1fa0e813
SHA256 9d1f6866a6b0ca605b783882bd389f3d5fc4f27c1353ab0ad3c9e8884ca2e93c
SHA512 87cf99575a8bf4b296d7e5586c33f3ff18ad6d6fc1e300e1dd3bb48d66e956c32c70f555c42f8ea0954d732bc6cdf4f651d2eabb965a355f1d35f707995a56fd

memory/2836-94-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2836-97-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1664-102-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1664-106-0x0000000001E00000-0x0000000001E1F000-memory.dmp

memory/2960-109-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1360-110-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1360-119-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1360-118-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1664-117-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1664-116-0x0000000000400000-0x000000000041F000-memory.dmp

\??\c:\progra~1\common~1\system\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/2524-122-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2960-123-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2524-126-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2524-130-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2960-131-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2524-134-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2524-139-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2524-143-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1964-145-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1964-147-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2524-148-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2960-149-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2960-152-0x0000000000300000-0x000000000031F000-memory.dmp

memory/2524-153-0x00000000003E0000-0x00000000003FF000-memory.dmp