Malware Analysis Report

2024-12-08 02:50

Sample ID 240818-shjg2ayhqa
Target a4d36d6061527d3e3915d97f688e4e50N.exe
SHA256 5ef5eb5cd1f22d202ee122e198605c636f779ead5cfc5b2b184555de4ea404ac
Tags
floxif backdoor bootkit discovery persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ef5eb5cd1f22d202ee122e198605c636f779ead5cfc5b2b184555de4ea404ac

Threat Level: Known bad

The file a4d36d6061527d3e3915d97f688e4e50N.exe was found to be: Known bad.

Malicious Activity Summary

floxif backdoor bootkit discovery persistence trojan upx

Floxif, Floodfix

Detects Floxif payload

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Drops startup file

UPX packed file

Loads dropped DLL

Network Service Discovery

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 15:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 15:07

Reported

2024-08-18 15:09

Platform

win7-20240708-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BFA1C7.lnk C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\70B97F\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\70B97F\internet.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\70B97F\spec_a.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\70B97F\krnln.fnr C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\krnln.fnr C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\70B97F\shell.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\internet.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\70B97F\BFA1C7.EXE C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.edt C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File created C:\Windows\SysWOW64\497A92\7fe4.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\70B97F C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\70B97F\dp1.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\eAPI.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\shell.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\70B97F\spec.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\com.run C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\EBFA1C\A1C7046D.TXT C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\497A92\7fe4.EDT C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File created C:\Windows\SysWOW64\70B97F\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\dp1.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\70B97F\eAPI.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\spec.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\BFA1C7.EXE C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\A92EFF C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\EBFA1C C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\70B97F\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\497A92 C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92\d170.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\EBFA1C\A1C7046D.TXT C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\70B97F\com.run C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File created C:\Windows\SysWOW64\497A92\d170.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.EDT C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\explorer.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2180 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\explorer.exe
PID 2180 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\explorer.exe
PID 2180 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\explorer.exe
PID 2180 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\explorer.exe
PID 2180 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\70B97F\BFA1C7.EXE
PID 2180 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\70B97F\BFA1C7.EXE
PID 2180 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\70B97F\BFA1C7.EXE
PID 2180 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\70B97F\BFA1C7.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe

"C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe"

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.0.1 8e-af-0c-29-ff-f6

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.255.255 d3-a8-14-e8-fb-8a

C:\Windows\SysWOW64\arp.exe

arp -s 37.27.61.182 61-ce-f6-11-d1-10

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.22 5b-1a-ea-45-f3-45

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.251 51-a7-d1-5f-9a-97

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.252 13-e9-9a-24-61-c0

C:\Windows\SysWOW64\arp.exe

arp -s 239.255.255.250 df-cb-bf-ef-e0-c3

C:\Windows\SysWOW64\arp.exe

arp -s 255.255.255.255 32-e8-58-d7-22-eb

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\70B97F\BFA1C7.EXE

C:\Windows\system32\70B97F\BFA1C7.EXE

Network

N/A

Files

memory/1732-102-0x00000000020E0000-0x00000000020F0000-memory.dmp

memory/2180-98-0x0000000010000000-0x0000000010032000-memory.dmp

memory/2180-97-0x0000000000400000-0x0000000000472000-memory.dmp

\Windows\SysWOW64\70B97F\BFA1C7.EXE

MD5 92cb3a9a0807fa40b62fdad073ba712a
SHA1 34c22e6c87fc85242a6b84ad3c2cb32341dae43e
SHA256 381f079ba319041c818b55aa1e3a687bd562d3ded1c0bc02eb591c5c031103e8
SHA512 99556a91a6183e568f62a47a167dc45bbbb9a8bd561d83d1ccedeb9d7e260252813f204cc70ec099bd0f2649b28aa16e52f5e9f0b9d531d7ccd462c9521583af

memory/1732-92-0x0000000002010000-0x000000000206D000-memory.dmp

\Windows\SysWOW64\70B97F\eAPI.fne

MD5 936745bac5c873ab1a91478d27894626
SHA1 9ed92393f95692339ce03a8f1498f80c727e0555
SHA256 edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630
SHA512 32d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4

memory/1036-80-0x0000000003D10000-0x0000000003D20000-memory.dmp

memory/1732-79-0x0000000000520000-0x000000000053E000-memory.dmp

\Windows\SysWOW64\70B97F\dp1.fne

MD5 6d4b2e73f6f8ecff02f19f7e8ef9a8c7
SHA1 09c32ca167136a17fd69df8c525ea5ffeca6c534
SHA256 fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040
SHA512 2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

memory/1732-76-0x0000000000290000-0x00000000002A1000-memory.dmp

\Windows\SysWOW64\70B97F\shell.fne

MD5 d54753e7fc3ea03aec0181447969c0e8
SHA1 824e7007b6569ae36f174c146ae1b7242f98f734
SHA256 192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
SHA512 c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

memory/1732-72-0x00000000003B0000-0x00000000003FA000-memory.dmp

\Windows\SysWOW64\70B97F\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

\Windows\SysWOW64\70B97F\krnln.fnr

MD5 cf46bb62a1ba559ceb0fad7a5d642f28
SHA1 80b63dd193e84bfacbe535587dd38471b8ea2c24
SHA256 fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67
SHA512 1f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058

memory/1732-68-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2180-67-0x0000000001FF0000-0x000000000200F000-memory.dmp

memory/2180-66-0x0000000001FF0000-0x000000000200F000-memory.dmp

memory/2180-49-0x00000000003E0000-0x00000000003F4000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

MD5 fb7ea6f8ae09fa7621ee13f86c4f2935
SHA1 d93676c39ad0181dad70a662c41fc4c280cce848
SHA256 bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0
SHA512 e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749

memory/2180-23-0x00000000003C0000-0x00000000003DE000-memory.dmp

memory/2180-20-0x00000000002A0000-0x00000000002B1000-memory.dmp

memory/2180-16-0x0000000002E40000-0x0000000002F5D000-memory.dmp

memory/2180-8-0x0000000000403000-0x0000000000404000-memory.dmp

memory/2180-4-0x0000000010000000-0x0000000010032000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 0609f5fe5fee88412b62aacafc43aedc
SHA1 e36ebd88d34a8b9af2808eb156f108ffc30d6a26
SHA256 b2e599e330c75124b46da9091b2546acff6dddc56d0f21d20e1af892f3ac07d6
SHA512 63f2ce803eed240ea27fcbef2658645a654b157dc8b2c630719bbe16de109467b28de81179cc99625c074dec4b8aa1c473798bcf48a3b394c8ea0be9edecc2d0

memory/2180-1-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1732-105-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1732-106-0x00000000020E0000-0x00000000020F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 15:07

Reported

2024-08-18 15:09

Platform

win10v2004-20240802-en

Max time kernel

102s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E37CC5.lnk C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\9E3B3C\spec_a.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\1A2F16 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.edt C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\EE37CC C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
File created C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\arp.exe
PID 2704 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\explorer.exe
PID 2704 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\explorer.exe
PID 2704 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\explorer.exe
PID 2704 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 2704 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 2704 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe

"C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe"

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.0.1 b6-06-57-28-c7-f2

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.255.255 4d-d4-80-e4-7b-1b

C:\Windows\SysWOW64\arp.exe

arp -s 49.12.169.208 87-c7-b8-cb-82-b2

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.22 66-81-91-be-8b-2a

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.251 0a-48-da-bb-d7-c9

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.252 1a-bd-dc-9b-cc-51

C:\Windows\SysWOW64\arp.exe

arp -s 239.255.255.250 fa-f0-82-32-c3-34

C:\Windows\SysWOW64\arp.exe

arp -s 255.255.255.255 f4-80-ca-a7-bf-8a

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

C:\Windows\system32\9E3B3C\E37CC5.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2704-0-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 0609f5fe5fee88412b62aacafc43aedc
SHA1 e36ebd88d34a8b9af2808eb156f108ffc30d6a26
SHA256 b2e599e330c75124b46da9091b2546acff6dddc56d0f21d20e1af892f3ac07d6
SHA512 63f2ce803eed240ea27fcbef2658645a654b157dc8b2c630719bbe16de109467b28de81179cc99625c074dec4b8aa1c473798bcf48a3b394c8ea0be9edecc2d0

memory/2704-3-0x0000000010000000-0x0000000010032000-memory.dmp

memory/2704-12-0x0000000000403000-0x0000000000404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

MD5 cf46bb62a1ba559ceb0fad7a5d642f28
SHA1 80b63dd193e84bfacbe535587dd38471b8ea2c24
SHA256 fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67
SHA512 1f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058

memory/2704-19-0x0000000002FD0000-0x00000000030ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

MD5 d54753e7fc3ea03aec0181447969c0e8
SHA1 824e7007b6569ae36f174c146ae1b7242f98f734
SHA256 192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
SHA512 c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

memory/2704-32-0x0000000002430000-0x000000000244E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

MD5 6d4b2e73f6f8ecff02f19f7e8ef9a8c7
SHA1 09c32ca167136a17fd69df8c525ea5ffeca6c534
SHA256 fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040
SHA512 2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

memory/2704-26-0x0000000002410000-0x0000000002421000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\eAPI.fne

MD5 936745bac5c873ab1a91478d27894626
SHA1 9ed92393f95692339ce03a8f1498f80c727e0555
SHA256 edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630
SHA512 32d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4

C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

MD5 fb7ea6f8ae09fa7621ee13f86c4f2935
SHA1 d93676c39ad0181dad70a662c41fc4c280cce848
SHA256 bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0
SHA512 e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749

memory/2704-66-0x0000000002450000-0x0000000002464000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

MD5 92cb3a9a0807fa40b62fdad073ba712a
SHA1 34c22e6c87fc85242a6b84ad3c2cb32341dae43e
SHA256 381f079ba319041c818b55aa1e3a687bd562d3ded1c0bc02eb591c5c031103e8
SHA512 99556a91a6183e568f62a47a167dc45bbbb9a8bd561d83d1ccedeb9d7e260252813f204cc70ec099bd0f2649b28aa16e52f5e9f0b9d531d7ccd462c9521583af

memory/4456-78-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

memory/4456-85-0x0000000002220000-0x000000000226A000-memory.dmp

memory/4456-91-0x0000000002EA0000-0x0000000002EB1000-memory.dmp

memory/4456-95-0x0000000002FC0000-0x0000000002FDE000-memory.dmp

memory/4456-108-0x0000000002FE0000-0x000000000303D000-memory.dmp

memory/2704-114-0x0000000010000000-0x0000000010032000-memory.dmp

memory/2704-113-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4456-121-0x0000000000400000-0x000000000041F000-memory.dmp