Analysis Overview
SHA256
388849ff698162b1d7e8b555b67b6d3ad4b53709ee002e1e40f5c77b2319a368
Threat Level: Known bad
The file 2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid was found to be: Known bad.
Malicious Activity Summary
Floxif, Floodfix
Detects Floxif payload
Event Triggered Execution: AppInit DLLs
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Executes dropped EXE
Enumerates connected drives
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-16 00:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-16 00:59
Reported
2024-09-16 01:01
Platform
win7-20240903-en
Max time kernel
145s
Max time network
118s
Command Line
Signatures
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: AppInit DLLs
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 85C07451C438DC3389D90E8132ADDB54 C
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{98543D9E-D779-4D95-8199-ED77A9E8B007}
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2F01415A-9D3C-436C-AB23-A0507854F0F3}
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9372D979-35D5-4ACC-9E5B-CA97670C1F81}
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DAFC3958-05A2-41ED-AE3B-2D6497A2AE1F}
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CAC586EE-A4CC-4294-91A1-FDEB02D8FAA7}
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F757AC84-9E84-4B09-9B88-8F434A1BC752}
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8CE92DB3-C97F-4789-BD54-06869ECD8047}
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9ED6117F-C594-4A99-90EE-69091E59ADBA}
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2D7F1A88-29C0-487D-91F5-43F60FF9EE28}
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5FA18361-5A78-446C-AFB0-66D30EEC497B}
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30D10D33-705C-4281-9A5F-B219FA51A72A}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
Files
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/2524-3-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2524-5-0x00000000004AF000-0x00000000004B3000-memory.dmp
memory/1076-9-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1076-10-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi
| MD5 | cde633c7be2c8db52f0922f8a8e0c613 |
| SHA1 | a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f |
| SHA256 | a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5 |
| SHA512 | e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b |
memory/2616-16-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIBA79.tmp
| MD5 | ca189a2b762e64d61303bfd4d88fd0a6 |
| SHA1 | 13bf55664fb0345d3931458f75b6039c1213f46a |
| SHA256 | dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a |
| SHA512 | 31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf |
memory/2616-21-0x0000000002AF0000-0x0000000002CA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
| MD5 | c3b2acc07bb0610405fc786e3432bef9 |
| SHA1 | 333d5f2b55bd00ad4311ba104af7db984f953924 |
| SHA256 | 9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894 |
| SHA512 | 2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd |
\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISRT.dll
| MD5 | a93f625ef42b54c2b0f4d38201e67606 |
| SHA1 | cbfebc1f736ccfc65562ede79a5ae1a8afb116a1 |
| SHA256 | e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0 |
| SHA512 | 805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198 |
memory/2616-43-0x00000000034C0000-0x0000000003567000-memory.dmp
\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\_isres_0x0409.dll
| MD5 | d6bbf7ff6984213c7f1f0f8f07c51e6a |
| SHA1 | cfe933fc3b634f7333adec7ec124c14e9d19ac21 |
| SHA256 | 6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2 |
| SHA512 | a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d |
memory/2616-46-0x0000000003240000-0x00000000032C9000-memory.dmp
\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\_isres_0x0409.dll.tmp
| MD5 | 5aa0b61df44e1dcbb764ffb795c20661 |
| SHA1 | 03887b6b8cd03f8a12aacc4a2e3f34c508b0cb5c |
| SHA256 | ceade2baab491915ede85ec0fafaa2f9e550fd6626b46877529918cd6155106a |
| SHA512 | f2162b76fd3173fe9df8034318ce4c9201a174f86a72c2a72770ce0d783a1b56a6b0b8f00831d5c48c6c973cbdb821b62d0b74b8b7cc17d3ff4ec01bf87e4e13 |
memory/2524-67-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2720-69-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2616-70-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2524-71-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2616-74-0x0000000002AF0000-0x0000000002CA5000-memory.dmp
memory/2616-76-0x0000000003240000-0x00000000032C9000-memory.dmp
memory/2616-75-0x00000000034C0000-0x0000000003567000-memory.dmp
memory/2524-79-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2524-87-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2524-95-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
memory/2524-103-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2524-113-0x0000000010000000-0x0000000010030000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-16 00:59
Reported
2024-09-16 01:01
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AF03115B919E2C9A2434C0591138A965 C
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7BF8DD61-D944-49D9-9CA4-74EA74DB070B}
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9FC41A7B-8F3F-4FBC-BC54-F388123F8EF1}
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E2EAB78C-264F-4AAC-B597-A0BAF36BFDCE}
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5FE244DF-E83A-4C72-B212-9432ABA5DF9A}
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C4292E17-DE00-4619-B5E6-EDC46291B387}
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{479E6C75-A573-4BEC-9D47-D70CEB020B77}
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4C15E68-F779-4257-9DD9-6549F53104F1}
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D7470079-D2B8-4B54-9072-027DBBF1DC1E}
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B537869-05DD-49DA-BCE1-B8232EE6ABB1}
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6EA142DE-D966-406D-BEF4-19D8DC9C56F7}
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BCC6F922-B42D-4585-91CB-927E3662F309}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.14.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/2736-4-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2736-6-0x00000000004AF000-0x00000000004B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi
| MD5 | cde633c7be2c8db52f0922f8a8e0c613 |
| SHA1 | a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f |
| SHA256 | a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5 |
| SHA512 | e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b |
C:\Users\Admin\AppData\Local\Temp\MSI72DE.tmp
| MD5 | ca189a2b762e64d61303bfd4d88fd0a6 |
| SHA1 | 13bf55664fb0345d3931458f75b6039c1213f46a |
| SHA256 | dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a |
| SHA512 | 31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf |
memory/2928-17-0x0000000010000000-0x00000000101B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
| MD5 | c3b2acc07bb0610405fc786e3432bef9 |
| SHA1 | 333d5f2b55bd00ad4311ba104af7db984f953924 |
| SHA256 | 9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894 |
| SHA512 | 2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd |
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISRT.dll
| MD5 | a93f625ef42b54c2b0f4d38201e67606 |
| SHA1 | cbfebc1f736ccfc65562ede79a5ae1a8afb116a1 |
| SHA256 | e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0 |
| SHA512 | 805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198 |
memory/2928-40-0x0000000002C80000-0x0000000002D27000-memory.dmp
memory/2928-39-0x0000000002C80000-0x0000000002D27000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\_isres_0x0409.dll
| MD5 | d6bbf7ff6984213c7f1f0f8f07c51e6a |
| SHA1 | cfe933fc3b634f7333adec7ec124c14e9d19ac21 |
| SHA256 | 6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2 |
| SHA512 | a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d |
memory/2928-45-0x0000000002DB0000-0x0000000002E39000-memory.dmp
memory/2736-57-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2736-60-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2928-64-0x0000000002C80000-0x0000000002D27000-memory.dmp
memory/2928-63-0x0000000010000000-0x00000000101B5000-memory.dmp
memory/2736-67-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\_isres_0x0409.dll.tmp
| MD5 | 68b1f64ad9c316e0cd081457351f8d32 |
| SHA1 | df3cb2f740be42db76d6e439d712e5fa705febd5 |
| SHA256 | 39430d085271d48f933a0ff14f294ed8e9fd40f66ed17d427662cabef3d4039c |
| SHA512 | 9c07b9149e0396df917687fd72b1d57776fd8d089659d2eed65104b0d77f7c579a51d188a6e57888fe57f75552abead8deb34e174cf3be8e94381a8b658f2f7c |
memory/2736-82-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2928-85-0x0000000002DB0000-0x0000000002E39000-memory.dmp
memory/2736-108-0x0000000010000000-0x0000000010030000-memory.dmp