Malware Analysis Report

2025-01-02 07:26

Sample ID 240914-fa1p5axfmg
Target b1abf4371741cd524184b57a83bd79d0N
SHA256 bd9681b94c7678dc0d26814705ec565b03d73ff301f82267a495161ff36f8e55
Tags
floxif backdoor bootkit discovery persistence privilege_escalation trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd9681b94c7678dc0d26814705ec565b03d73ff301f82267a495161ff36f8e55

Threat Level: Known bad

The file b1abf4371741cd524184b57a83bd79d0N was found to be: Known bad.

Malicious Activity Summary

floxif backdoor bootkit discovery persistence privilege_escalation trojan upx

Floxif, Floodfix

Detects Floxif payload

Event Triggered Execution: AppInit DLLs

Drops startup file

UPX packed file

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Network Service Discovery

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-14 04:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-14 04:40

Reported

2024-09-14 04:42

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E37CC5.lnk C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.edt C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\EE37CC C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\1A2F16 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\spec_a.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created \??\c:\progra~1\common~1\system\symsrv.dll.000 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 2116 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 2116 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 2116 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 2116 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 2116 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 2116 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 2116 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 2116 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe

"C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe"

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.0.1 32-94-58-5b-be-e1

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.255.255 83-93-bf-05-21-97

C:\Windows\SysWOW64\arp.exe

arp -s 49.12.169.207 4a-7c-d1-cd-eb-21

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.22 1a-c7-a0-45-d6-9e

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.251 cf-58-61-4d-46-7a

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.252 25-76-ea-16-75-88

C:\Windows\SysWOW64\arp.exe

arp -s 239.255.255.250 45-cc-8e-55-8a-d2

C:\Windows\SysWOW64\arp.exe

arp -s 255.255.255.255 c5-39-fa-d2-99-70

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

C:\Windows\system32\9E3B3C\E37CC5.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.30.197:80 www.aieov.com tcp

Files

memory/2116-1-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2116-4-0x0000000010000000-0x0000000010033000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 4fcd7574537cebec8e75b4e646996643
SHA1 efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA256 8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA512 7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

memory/2848-8-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2116-15-0x0000000000403000-0x0000000000404000-memory.dmp

memory/2848-21-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2116-17-0x0000000002DE0000-0x0000000002EFD000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

MD5 cf46bb62a1ba559ceb0fad7a5d642f28
SHA1 80b63dd193e84bfacbe535587dd38471b8ea2c24
SHA256 fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67
SHA512 1f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058

memory/2604-25-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2732-24-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2616-43-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2684-51-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2116-56-0x00000000003D0000-0x00000000003EE000-memory.dmp

memory/2116-53-0x0000000000320000-0x0000000000331000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

MD5 d54753e7fc3ea03aec0181447969c0e8
SHA1 824e7007b6569ae36f174c146ae1b7242f98f734
SHA256 192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
SHA512 c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

MD5 6d4b2e73f6f8ecff02f19f7e8ef9a8c7
SHA1 09c32ca167136a17fd69df8c525ea5ffeca6c534
SHA256 fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040
SHA512 2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

memory/2580-50-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2756-46-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2764-42-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2684-41-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2580-40-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2756-33-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2604-32-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2872-31-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2772-29-0x0000000010000000-0x0000000010033000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\cnvpe.fne

MD5 fb7ea6f8ae09fa7621ee13f86c4f2935
SHA1 d93676c39ad0181dad70a662c41fc4c280cce848
SHA256 bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0
SHA512 e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749

memory/2732-90-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2116-82-0x0000000002990000-0x00000000029A4000-memory.dmp

memory/2768-108-0x0000000002020000-0x000000000213D000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

memory/2768-112-0x0000000000380000-0x00000000003CA000-memory.dmp

memory/2116-106-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2768-105-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2768-119-0x00000000022C0000-0x00000000022DE000-memory.dmp

memory/2768-116-0x00000000022A0000-0x00000000022B1000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\eAPI.fne

MD5 936745bac5c873ab1a91478d27894626
SHA1 9ed92393f95692339ce03a8f1498f80c727e0555
SHA256 edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630
SHA512 32d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4

memory/2768-131-0x0000000003280000-0x00000000032DD000-memory.dmp

memory/2768-104-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2116-103-0x00000000029B0000-0x00000000029CF000-memory.dmp

memory/2116-102-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

MD5 e2b86e9a37fe4f85bbf0d08af28690a2
SHA1 d56b2d2a21cdf5661a17e32be5c71004eb558896
SHA256 b05ad065919cee4748075a182d681215c645c7cc3fdf9a06bfd18f7ebb067c91
SHA512 6cb065b121f11ee2700b22dd1cf9c9f4d44808261cc9ff2fac36165f42291598b708fa2501264d5c0dfc3df71e7bd6a3d22f9fff70e23d064733e488d49ee082

memory/2116-134-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2768-140-0x00000000033E0000-0x00000000033F0000-memory.dmp

memory/2000-141-0x0000000003A90000-0x0000000003AA0000-memory.dmp

memory/2768-142-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2768-145-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2768-153-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2768-155-0x00000000033E0000-0x00000000033F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-14 04:40

Reported

2024-09-14 04:42

Platform

win10v2004-20240802-en

Max time kernel

111s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E37CC5.lnk C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\1A2F16 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.edt C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\EE37CC C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\spec_a.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\arp.exe
PID 1844 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 1844 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 1844 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\explorer.exe
PID 1844 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 1844 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 1844 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe

"C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe"

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.0.1 5a-eb-a3-5a-86-dd

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.255.255 fe-bf-2b-01-a1-27

C:\Windows\SysWOW64\arp.exe

arp -s 136.243.76.21 71-75-93-87-9c-c3

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.22 25-2e-47-be-6e-83

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.251 88-f9-6a-a9-82-ac

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.252 2d-4a-2d-8d-e0-18

C:\Windows\SysWOW64\arp.exe

arp -s 239.255.255.250 61-f0-51-98-6d-43

C:\Windows\SysWOW64\arp.exe

arp -s 255.255.255.255 87-d1-6c-a2-36-0f

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

C:\Windows\system32\9E3B3C\E37CC5.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1844-0-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 4fcd7574537cebec8e75b4e646996643
SHA1 efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA256 8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA512 7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

memory/1844-3-0x0000000010000000-0x0000000010033000-memory.dmp

memory/1844-7-0x0000000000403000-0x0000000000404000-memory.dmp

memory/1844-17-0x0000000002FB0000-0x00000000030CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

MD5 cf46bb62a1ba559ceb0fad7a5d642f28
SHA1 80b63dd193e84bfacbe535587dd38471b8ea2c24
SHA256 fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67
SHA512 1f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058

memory/4780-23-0x0000000010000000-0x0000000010033000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

MD5 d54753e7fc3ea03aec0181447969c0e8
SHA1 824e7007b6569ae36f174c146ae1b7242f98f734
SHA256 192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
SHA512 c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

memory/1844-27-0x0000000002BD0000-0x0000000002BE1000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\eAPI.fne

MD5 936745bac5c873ab1a91478d27894626
SHA1 9ed92393f95692339ce03a8f1498f80c727e0555
SHA256 edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630
SHA512 32d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4

memory/1844-67-0x0000000002C10000-0x0000000002C24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

MD5 fb7ea6f8ae09fa7621ee13f86c4f2935
SHA1 d93676c39ad0181dad70a662c41fc4c280cce848
SHA256 bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0
SHA512 e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

MD5 e2b86e9a37fe4f85bbf0d08af28690a2
SHA1 d56b2d2a21cdf5661a17e32be5c71004eb558896
SHA256 b05ad065919cee4748075a182d681215c645c7cc3fdf9a06bfd18f7ebb067c91
SHA512 6cb065b121f11ee2700b22dd1cf9c9f4d44808261cc9ff2fac36165f42291598b708fa2501264d5c0dfc3df71e7bd6a3d22f9fff70e23d064733e488d49ee082

memory/3900-82-0x0000000010000000-0x0000000010033000-memory.dmp

memory/3900-81-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4780-89-0x0000000010000000-0x0000000010033000-memory.dmp

memory/3900-86-0x00000000023A0000-0x00000000024BD000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

memory/3900-93-0x00000000026F0000-0x000000000273A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

MD5 6d4b2e73f6f8ecff02f19f7e8ef9a8c7
SHA1 09c32ca167136a17fd69df8c525ea5ffeca6c534
SHA256 fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040
SHA512 2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

memory/1844-33-0x0000000002BF0000-0x0000000002C0E000-memory.dmp

memory/3900-98-0x0000000003240000-0x0000000003251000-memory.dmp

memory/3900-102-0x0000000003360000-0x000000000337E000-memory.dmp

memory/3900-116-0x00000000034B0000-0x000000000350D000-memory.dmp

memory/1844-121-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1844-122-0x0000000010000000-0x0000000010033000-memory.dmp

memory/3900-126-0x0000000010000000-0x0000000010033000-memory.dmp

memory/3900-136-0x0000000000400000-0x000000000041F000-memory.dmp