Malware Analysis Report

2024-12-08 02:41

Sample ID 240912-ewty2a1cnk
Target 9afc2a763f9f229638fb7644670bc5d0N
SHA256 9267d13b400b78a572931d2c2b2978cf0341c6e9250d4962c79e9dba4989e37a
Tags
floxif backdoor bootkit discovery persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9267d13b400b78a572931d2c2b2978cf0341c6e9250d4962c79e9dba4989e37a

Threat Level: Known bad

The file 9afc2a763f9f229638fb7644670bc5d0N was found to be: Known bad.

Malicious Activity Summary

floxif backdoor bootkit discovery persistence trojan upx

Floxif, Floodfix

Detects Floxif payload

ACProtect 1.3x - 1.4x DLL software

Drops startup file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Writes to the Master Boot Record (MBR)

Network Service Discovery

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-12 04:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-12 04:17

Reported

2024-09-12 04:19

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E37CC5.lnk C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\1A2F16 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.edt C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\EE37CC C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\spec_a.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2188 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 2188 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 2188 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 2188 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 2188 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 2188 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 2188 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 2188 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe

"C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe"

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.0.1 8d-0c-52-49-2c-f4

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.255.255 91-7a-4c-af-66-6a

C:\Windows\SysWOW64\arp.exe

arp -s 136.243.76.170 e1-fe-f5-9d-f7-5c

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.22 66-37-76-cc-9c-ad

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.251 7a-61-46-c7-cb-6e

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.252 48-60-ac-9c-ae-66

C:\Windows\SysWOW64\arp.exe

arp -s 239.255.255.250 6b-bd-e7-4b-77-74

C:\Windows\SysWOW64\arp.exe

arp -s 255.255.255.255 ce-7c-67-32-bd-44

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

C:\Windows\system32\9E3B3C\E37CC5.EXE

Network

N/A

Files

memory/2188-0-0x0000000000400000-0x0000000000472000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 4fcd7574537cebec8e75b4e646996643
SHA1 efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA256 8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA512 7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

memory/2188-4-0x0000000010000000-0x0000000010033000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

MD5 cf46bb62a1ba559ceb0fad7a5d642f28
SHA1 80b63dd193e84bfacbe535587dd38471b8ea2c24
SHA256 fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67
SHA512 1f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058

memory/2188-16-0x0000000000403000-0x0000000000404000-memory.dmp

memory/2188-13-0x0000000002A90000-0x0000000002BAD000-memory.dmp

memory/2188-18-0x0000000000870000-0x0000000000881000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

MD5 d54753e7fc3ea03aec0181447969c0e8
SHA1 824e7007b6569ae36f174c146ae1b7242f98f734
SHA256 192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
SHA512 c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

MD5 6d4b2e73f6f8ecff02f19f7e8ef9a8c7
SHA1 09c32ca167136a17fd69df8c525ea5ffeca6c534
SHA256 fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040
SHA512 2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

memory/2188-21-0x00000000008A0000-0x00000000008BE000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\cnvpe.fne

MD5 fb7ea6f8ae09fa7621ee13f86c4f2935
SHA1 d93676c39ad0181dad70a662c41fc4c280cce848
SHA256 bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0
SHA512 e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749

memory/2188-47-0x00000000028A0000-0x00000000028B4000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

MD5 e2b86e9a37fe4f85bbf0d08af28690a2
SHA1 d56b2d2a21cdf5661a17e32be5c71004eb558896
SHA256 b05ad065919cee4748075a182d681215c645c7cc3fdf9a06bfd18f7ebb067c91
SHA512 6cb065b121f11ee2700b22dd1cf9c9f4d44808261cc9ff2fac36165f42291598b708fa2501264d5c0dfc3df71e7bd6a3d22f9fff70e23d064733e488d49ee082

memory/1496-65-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2188-64-0x00000000028C0000-0x00000000028DF000-memory.dmp

memory/2188-63-0x00000000028C0000-0x00000000028DF000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

memory/1496-70-0x00000000003B0000-0x00000000003FA000-memory.dmp

memory/1496-74-0x0000000000420000-0x0000000000431000-memory.dmp

memory/1496-77-0x0000000000440000-0x000000000045E000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\eAPI.fne

MD5 936745bac5c873ab1a91478d27894626
SHA1 9ed92393f95692339ce03a8f1498f80c727e0555
SHA256 edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630
SHA512 32d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4

memory/1496-89-0x0000000001DE0000-0x0000000001E3D000-memory.dmp

memory/2188-92-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2188-93-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2908-94-0x0000000003D10000-0x0000000003D20000-memory.dmp

memory/1496-100-0x00000000021D0000-0x00000000021E0000-memory.dmp

memory/1496-103-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1496-104-0x00000000021D0000-0x00000000021E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-12 04:17

Reported

2024-09-12 04:19

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E37CC5.lnk C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\spec_a.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\1A2F16 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.edt C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\EE37CC C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 328 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\arp.exe
PID 328 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 328 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 328 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 328 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 328 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 328 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe

"C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N.exe"

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.0.1 b6-63-9c-48-f5-f0

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.255.255 0c-a6-b8-ab-e5-fa

C:\Windows\SysWOW64\arp.exe

arp -s 37.27.61.182 08-f8-b7-58-a7-ff

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.22 71-9e-1d-45-33-92

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.251 32-02-4f-23-08-a1

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.252 50-34-ee-13-19-f7

C:\Windows\SysWOW64\arp.exe

arp -s 239.255.255.250 86-e1-aa-8e-5a-e5

C:\Windows\SysWOW64\arp.exe

arp -s 255.255.255.255 90-14-d9-02-59-e3

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\9afc2a763f9f229638fb7644670bc5d0N

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

C:\Windows\system32\9E3B3C\E37CC5.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/328-0-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 4fcd7574537cebec8e75b4e646996643
SHA1 efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA256 8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA512 7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

memory/328-3-0x0000000010000000-0x0000000010033000-memory.dmp

memory/328-7-0x0000000000403000-0x0000000000404000-memory.dmp

memory/328-17-0x0000000002EB0000-0x0000000002FCD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

MD5 cf46bb62a1ba559ceb0fad7a5d642f28
SHA1 80b63dd193e84bfacbe535587dd38471b8ea2c24
SHA256 fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67
SHA512 1f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058

memory/328-24-0x0000000002B50000-0x0000000002B61000-memory.dmp

memory/328-30-0x0000000002C00000-0x0000000002C1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

MD5 d54753e7fc3ea03aec0181447969c0e8
SHA1 824e7007b6569ae36f174c146ae1b7242f98f734
SHA256 192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
SHA512 c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

C:\Windows\SysWOW64\9E3B3C\eAPI.fne

MD5 936745bac5c873ab1a91478d27894626
SHA1 9ed92393f95692339ce03a8f1498f80c727e0555
SHA256 edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630
SHA512 32d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4

C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

MD5 6d4b2e73f6f8ecff02f19f7e8ef9a8c7
SHA1 09c32ca167136a17fd69df8c525ea5ffeca6c534
SHA256 fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040
SHA512 2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

MD5 fb7ea6f8ae09fa7621ee13f86c4f2935
SHA1 d93676c39ad0181dad70a662c41fc4c280cce848
SHA256 bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0
SHA512 e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749

memory/328-64-0x0000000002C20000-0x0000000002C34000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

MD5 e2b86e9a37fe4f85bbf0d08af28690a2
SHA1 d56b2d2a21cdf5661a17e32be5c71004eb558896
SHA256 b05ad065919cee4748075a182d681215c645c7cc3fdf9a06bfd18f7ebb067c91
SHA512 6cb065b121f11ee2700b22dd1cf9c9f4d44808261cc9ff2fac36165f42291598b708fa2501264d5c0dfc3df71e7bd6a3d22f9fff70e23d064733e488d49ee082

memory/3492-77-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

memory/3492-83-0x00000000021F0000-0x000000000223A000-memory.dmp

memory/3492-88-0x0000000002E90000-0x0000000002EA1000-memory.dmp

memory/3492-92-0x0000000002FB0000-0x0000000002FCE000-memory.dmp

memory/3492-105-0x0000000002FD0000-0x000000000302D000-memory.dmp

memory/328-110-0x0000000000400000-0x0000000000472000-memory.dmp

memory/328-109-0x0000000010000000-0x0000000010033000-memory.dmp

memory/3492-117-0x0000000000400000-0x000000000041F000-memory.dmp