Malware Analysis Report

2025-01-02 07:22

Sample ID 240916-bb7gva1fpk
Target 2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid
SHA256 388849ff698162b1d7e8b555b67b6d3ad4b53709ee002e1e40f5c77b2319a368
Tags
floxif backdoor discovery persistence privilege_escalation trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

388849ff698162b1d7e8b555b67b6d3ad4b53709ee002e1e40f5c77b2319a368

Threat Level: Known bad

The file 2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid was found to be: Known bad.

Malicious Activity Summary

floxif backdoor discovery persistence privilege_escalation trojan upx

Floxif, Floodfix

Detects Floxif payload

Event Triggered Execution: AppInit DLLs

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 00:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 00:59

Reported

2024-09-16 01:01

Platform

win7-20240903-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2344 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2344 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2344 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2344 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2344 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2344 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2344 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2616 wrote to memory of 2784 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 2784 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 2784 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 2784 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 2052 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 2052 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 2052 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 2052 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 2264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 2264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 2264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 2264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 292 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 292 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 292 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 292 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1556 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1556 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1556 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1556 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1404 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1404 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1404 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1404 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 796 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 796 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 796 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 796 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1084 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1084 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1084 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1084 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1588 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1588 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1588 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1588 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1752 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1752 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe
PID 2616 wrote to memory of 1752 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 85C07451C438DC3389D90E8132ADDB54 C

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{98543D9E-D779-4D95-8199-ED77A9E8B007}

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2F01415A-9D3C-436C-AB23-A0507854F0F3}

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9372D979-35D5-4ACC-9E5B-CA97670C1F81}

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DAFC3958-05A2-41ED-AE3B-2D6497A2AE1F}

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CAC586EE-A4CC-4294-91A1-FDEB02D8FAA7}

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F757AC84-9E84-4B09-9B88-8F434A1BC752}

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8CE92DB3-C97F-4789-BD54-06869ECD8047}

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9ED6117F-C594-4A99-90EE-69091E59ADBA}

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2D7F1A88-29C0-487D-91F5-43F60FF9EE28}

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5FA18361-5A78-446C-AFB0-66D30EEC497B}

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30D10D33-705C-4281-9A5F-B219FA51A72A}

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.23.183:80 www.aieov.com tcp
US 45.33.23.183:80 www.aieov.com tcp
US 45.33.23.183:80 www.aieov.com tcp
US 45.33.23.183:80 www.aieov.com tcp
US 45.33.23.183:80 www.aieov.com tcp
US 45.33.23.183:80 www.aieov.com tcp

Files

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2524-3-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2524-5-0x00000000004AF000-0x00000000004B3000-memory.dmp

memory/1076-9-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1076-10-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

MD5 cde633c7be2c8db52f0922f8a8e0c613
SHA1 a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f
SHA256 a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5
SHA512 e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b

memory/2616-16-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIBA79.tmp

MD5 ca189a2b762e64d61303bfd4d88fd0a6
SHA1 13bf55664fb0345d3931458f75b6039c1213f46a
SHA256 dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a
SHA512 31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf

memory/2616-21-0x0000000002AF0000-0x0000000002CA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISBEW64.exe

MD5 c3b2acc07bb0610405fc786e3432bef9
SHA1 333d5f2b55bd00ad4311ba104af7db984f953924
SHA256 9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894
SHA512 2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\ISRT.dll

MD5 a93f625ef42b54c2b0f4d38201e67606
SHA1 cbfebc1f736ccfc65562ede79a5ae1a8afb116a1
SHA256 e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0
SHA512 805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

memory/2616-43-0x00000000034C0000-0x0000000003567000-memory.dmp

\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\_isres_0x0409.dll

MD5 d6bbf7ff6984213c7f1f0f8f07c51e6a
SHA1 cfe933fc3b634f7333adec7ec124c14e9d19ac21
SHA256 6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2
SHA512 a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

memory/2616-46-0x0000000003240000-0x00000000032C9000-memory.dmp

\Users\Admin\AppData\Local\Temp\{3EC23119-1F37-466B-83A2-8299FDFD8171}\_isres_0x0409.dll.tmp

MD5 5aa0b61df44e1dcbb764ffb795c20661
SHA1 03887b6b8cd03f8a12aacc4a2e3f34c508b0cb5c
SHA256 ceade2baab491915ede85ec0fafaa2f9e550fd6626b46877529918cd6155106a
SHA512 f2162b76fd3173fe9df8034318ce4c9201a174f86a72c2a72770ce0d783a1b56a6b0b8f00831d5c48c6c973cbdb821b62d0b74b8b7cc17d3ff4ec01bf87e4e13

memory/2524-67-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2720-69-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2616-70-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2524-71-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2616-74-0x0000000002AF0000-0x0000000002CA5000-memory.dmp

memory/2616-76-0x0000000003240000-0x00000000032C9000-memory.dmp

memory/2616-75-0x00000000034C0000-0x0000000003567000-memory.dmp

memory/2524-79-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2524-87-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2524-95-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/2524-103-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2524-113-0x0000000010000000-0x0000000010030000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 00:59

Reported

2024-09-16 01:01

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 5064 wrote to memory of 2928 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5064 wrote to memory of 2928 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5064 wrote to memory of 2928 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2928 wrote to memory of 1104 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 1104 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 2948 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 2948 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 4424 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 4424 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 1868 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 1868 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 4324 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 4324 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 3408 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 3408 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 4740 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 4740 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 3404 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 3404 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 3708 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 3708 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 3132 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 3132 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 4260 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe
PID 2928 wrote to memory of 4260 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-16_3502350eba54b4ac640a8748470ac2c0_floxif_icedid.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding AF03115B919E2C9A2434C0591138A965 C

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7BF8DD61-D944-49D9-9CA4-74EA74DB070B}

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9FC41A7B-8F3F-4FBC-BC54-F388123F8EF1}

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E2EAB78C-264F-4AAC-B597-A0BAF36BFDCE}

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5FE244DF-E83A-4C72-B212-9432ABA5DF9A}

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C4292E17-DE00-4619-B5E6-EDC46291B387}

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{479E6C75-A573-4BEC-9D47-D70CEB020B77}

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4C15E68-F779-4257-9DD9-6549F53104F1}

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D7470079-D2B8-4B54-9072-027DBBF1DC1E}

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B537869-05DD-49DA-BCE1-B8232EE6ABB1}

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6EA142DE-D966-406D-BEF4-19D8DC9C56F7}

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BCC6F922-B42D-4585-91CB-927E3662F309}

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.aieov.com udp
US 72.14.178.174:80 www.aieov.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.14.72.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 72.14.178.174:80 www.aieov.com tcp
US 72.14.178.174:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 72.14.178.174:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 72.14.178.174:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 72.14.178.174:80 www.aieov.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 72.14.178.174:80 www.aieov.com tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2736-4-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2736-6-0x00000000004AF000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

MD5 cde633c7be2c8db52f0922f8a8e0c613
SHA1 a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f
SHA256 a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5
SHA512 e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b

C:\Users\Admin\AppData\Local\Temp\MSI72DE.tmp

MD5 ca189a2b762e64d61303bfd4d88fd0a6
SHA1 13bf55664fb0345d3931458f75b6039c1213f46a
SHA256 dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a
SHA512 31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf

memory/2928-17-0x0000000010000000-0x00000000101B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISBEW64.exe

MD5 c3b2acc07bb0610405fc786e3432bef9
SHA1 333d5f2b55bd00ad4311ba104af7db984f953924
SHA256 9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894
SHA512 2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\ISRT.dll

MD5 a93f625ef42b54c2b0f4d38201e67606
SHA1 cbfebc1f736ccfc65562ede79a5ae1a8afb116a1
SHA256 e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0
SHA512 805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

memory/2928-40-0x0000000002C80000-0x0000000002D27000-memory.dmp

memory/2928-39-0x0000000002C80000-0x0000000002D27000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\_isres_0x0409.dll

MD5 d6bbf7ff6984213c7f1f0f8f07c51e6a
SHA1 cfe933fc3b634f7333adec7ec124c14e9d19ac21
SHA256 6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2
SHA512 a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

memory/2928-45-0x0000000002DB0000-0x0000000002E39000-memory.dmp

memory/2736-57-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2736-60-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2928-64-0x0000000002C80000-0x0000000002D27000-memory.dmp

memory/2928-63-0x0000000010000000-0x00000000101B5000-memory.dmp

memory/2736-67-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

C:\Users\Admin\AppData\Local\Temp\{F6C5369C-DF6A-4081-850C-C0B6AE139E67}\_isres_0x0409.dll.tmp

MD5 68b1f64ad9c316e0cd081457351f8d32
SHA1 df3cb2f740be42db76d6e439d712e5fa705febd5
SHA256 39430d085271d48f933a0ff14f294ed8e9fd40f66ed17d427662cabef3d4039c
SHA512 9c07b9149e0396df917687fd72b1d57776fd8d089659d2eed65104b0d77f7c579a51d188a6e57888fe57f75552abead8deb34e174cf3be8e94381a8b658f2f7c

memory/2736-82-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2928-85-0x0000000002DB0000-0x0000000002E39000-memory.dmp

memory/2736-108-0x0000000010000000-0x0000000010030000-memory.dmp