Malware Analysis Report

2025-01-02 07:22

Sample ID 240916-g5k4lashkm
Target 202409163502350eba54b4ac640a8748470ac2c0floxificedid
SHA256 388849ff698162b1d7e8b555b67b6d3ad4b53709ee002e1e40f5c77b2319a368
Tags
floxif backdoor discovery persistence privilege_escalation trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

388849ff698162b1d7e8b555b67b6d3ad4b53709ee002e1e40f5c77b2319a368

Threat Level: Known bad

The file 202409163502350eba54b4ac640a8748470ac2c0floxificedid was found to be: Known bad.

Malicious Activity Summary

floxif backdoor discovery persistence privilege_escalation trojan upx

Floxif, Floodfix

Detects Floxif payload

Event Triggered Execution: AppInit DLLs

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 06:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 06:23

Reported

2024-09-16 06:26

Platform

win7-20240903-en

Max time kernel

143s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2808 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2860 wrote to memory of 2628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2860 wrote to memory of 2628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2860 wrote to memory of 2628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2860 wrote to memory of 2628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2860 wrote to memory of 2628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2860 wrote to memory of 2628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2860 wrote to memory of 2628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2628 wrote to memory of 2300 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2300 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2300 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2300 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 1264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 1264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 1264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 1264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2796 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2796 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2796 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2796 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2580 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2580 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2580 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2580 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2264 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2020 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2020 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2020 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2020 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2436 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2436 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2436 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2436 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2040 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2040 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2040 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2040 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 1628 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 1628 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 1628 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 1628 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2220 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2220 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2220 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2220 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2344 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2344 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
PID 2628 wrote to memory of 2344 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe

"C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 85A452510E17DD5EF520C4B7D4A7A0DF C

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4C4A10BF-425D-4B7C-8B12-32166638C386}

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{18B8389A-C3B3-4E3D-A252-8B6B91404E10}

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A00FFA7F-14C7-4B2D-A36C-06ECD438997A}

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60EA909C-3195-4FC2-AAA6-B0FF8B297504}

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{252619CC-2A9A-4CF4-814F-CCBB486E461A}

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C34588C5-CE8B-4D7B-9742-6DABDBC0036C}

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{927A3BD3-B95E-467B-BE62-E6634793B792}

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C74D619-0863-4B00-A84C-A09D8663298C}

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{668DF810-6DD8-41F8-A6A5-B1F7C08723D6}

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{14CC40B7-1661-4EA3-B8E8-6DE3E77DB058}

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D4BB87AE-DB87-4B55-9A7A-06699E00620B}

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.18.44:80 www.aieov.com tcp
US 45.33.18.44:80 www.aieov.com tcp
US 45.33.18.44:80 www.aieov.com tcp
US 45.33.18.44:80 www.aieov.com tcp
US 45.33.18.44:80 www.aieov.com tcp
US 45.33.18.44:80 www.aieov.com tcp

Files

memory/2628-21-0x00000000027C0000-0x0000000002975000-memory.dmp

\Users\Admin\AppData\Local\Temp\MSI84D9.tmp

MD5 ca189a2b762e64d61303bfd4d88fd0a6
SHA1 13bf55664fb0345d3931458f75b6039c1213f46a
SHA256 dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a
SHA512 31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf

memory/2628-18-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2896-14-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

MD5 cde633c7be2c8db52f0922f8a8e0c613
SHA1 a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f
SHA256 a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5
SHA512 e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b

memory/2828-11-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2828-9-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2808-5-0x00000000004AF000-0x00000000004B3000-memory.dmp

memory/2808-3-0x0000000010000000-0x0000000010030000-memory.dmp

\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe

MD5 c3b2acc07bb0610405fc786e3432bef9
SHA1 333d5f2b55bd00ad4311ba104af7db984f953924
SHA256 9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894
SHA512 2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISRT.dll

MD5 a93f625ef42b54c2b0f4d38201e67606
SHA1 cbfebc1f736ccfc65562ede79a5ae1a8afb116a1
SHA256 e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0
SHA512 805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

memory/2628-45-0x0000000003050000-0x00000000030F7000-memory.dmp

\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\_isres_0x0409.dll

MD5 d6bbf7ff6984213c7f1f0f8f07c51e6a
SHA1 cfe933fc3b634f7333adec7ec124c14e9d19ac21
SHA256 6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2
SHA512 a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

memory/2628-48-0x0000000003390000-0x0000000003419000-memory.dmp

memory/2808-65-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2896-66-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2808-67-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2628-68-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2628-72-0x0000000003050000-0x00000000030F7000-memory.dmp

memory/2628-71-0x00000000027C0000-0x0000000002975000-memory.dmp

memory/2808-75-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2808-82-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2808-89-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/2808-98-0x0000000010000000-0x0000000010030000-memory.dmp

\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\_isres_0x0409.dll.tmp

MD5 5b5f5d71be88f01ccad4c33ed6f4088e
SHA1 ee6db4b5ae5eb7ecb181c30319aa311075fc0551
SHA256 931fdc6fd31f4f09ce83a577f8026298a7b2798186591270413fc2ffb1d3a733
SHA512 b8871eae16a915e603f85702dcf7e47f3a9c95537cf5c95c809bbdfb826f072d4ea10fb4196e225f522f555a42561d096ef360d44602266a587af19acd0a9df5

memory/2808-108-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2628-115-0x0000000003390000-0x0000000003419000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 06:23

Reported

2024-09-16 06:25

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 1268 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 1268 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 1268 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 1268 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 1268 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe C:\Windows\SysWOW64\msiexec.exe
PID 2060 wrote to memory of 1828 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2060 wrote to memory of 1828 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2060 wrote to memory of 1828 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1828 wrote to memory of 1548 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 1548 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 3988 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 3988 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 216 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 216 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 3752 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 3752 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 4680 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 4680 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 1376 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 1376 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 5100 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 5100 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 1740 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 1740 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 2096 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 2096 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 4324 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 4324 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 4512 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
PID 1828 wrote to memory of 4512 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe

"C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding ABA376717A6C3CB62EF18D358F1FB849 C

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E959833A-2569-4284-A88A-E4A83CDD237D}

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F1C6C1D-B77E-403C-BBFE-2CB8A2409049}

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CBD9F287-F073-4F52-B9B1-B82647454F9A}

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2C8E7B83-066E-41CA-B3D3-AAC4FBACE4E6}

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1AC4C141-36CD-4A10-BF0E-61FC6AA5BAFB}

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0DA8C4B5-04C0-48F5-8E6D-85FB4E0622EC}

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F8D8889F-722F-4256-BA42-95DDF3010CBA}

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3CA4D51F-6F42-4466-BCBD-582D1F187A37}

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AD4A2046-A0F7-489B-893B-14335342EB7B}

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06418C24-ED8D-4EBE-9E8E-E95100B38CFB}

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2F4DDFC8-7887-4597-A6F6-ABF846997D88}

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.23.183:80 www.aieov.com tcp
US 8.8.8.8:53 183.23.33.45.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.23.183:80 www.aieov.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.23.183:80 www.aieov.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.23.183:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 45.33.23.183:80 www.aieov.com tcp
US 45.33.23.183:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.23.183:80 www.aieov.com tcp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/1268-4-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1268-6-0x00000000004AF000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

MD5 cde633c7be2c8db52f0922f8a8e0c613
SHA1 a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f
SHA256 a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5
SHA512 e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b

C:\Users\Admin\AppData\Local\Temp\MSIB788.tmp

MD5 ca189a2b762e64d61303bfd4d88fd0a6
SHA1 13bf55664fb0345d3931458f75b6039c1213f46a
SHA256 dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a
SHA512 31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf

memory/1828-17-0x0000000010000000-0x00000000101B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe

MD5 c3b2acc07bb0610405fc786e3432bef9
SHA1 333d5f2b55bd00ad4311ba104af7db984f953924
SHA256 9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894
SHA512 2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISRT.dll

MD5 a93f625ef42b54c2b0f4d38201e67606
SHA1 cbfebc1f736ccfc65562ede79a5ae1a8afb116a1
SHA256 e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0
SHA512 805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

memory/1828-41-0x0000000002BC0000-0x0000000002C67000-memory.dmp

memory/1828-40-0x0000000002BC0000-0x0000000002C67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\_isres_0x0409.dll

MD5 d6bbf7ff6984213c7f1f0f8f07c51e6a
SHA1 cfe933fc3b634f7333adec7ec124c14e9d19ac21
SHA256 6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2
SHA512 a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

memory/1828-46-0x0000000002F30000-0x0000000002FB9000-memory.dmp

memory/1268-59-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1268-60-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1828-64-0x0000000002BC0000-0x0000000002C67000-memory.dmp

memory/1828-63-0x0000000010000000-0x00000000101B5000-memory.dmp

memory/1268-67-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\_isres_0x0409.dll.tmp

MD5 8c2d93af496f0f5d2a6f2062580d6019
SHA1 f836362119fec91dd7578977f426d6f018e92902
SHA256 daef4e35d519332377a58ab1e4d57177d8de13df0700941870a60990181e33f0
SHA512 352e9e6b4bd161d095ff67c231a8b11cce566611dc590116f54318a384f344ef8644d727e5abcd50561648c9c1cc91b0763c60ed64d00b00bfb7d5a92284b53d

memory/1268-82-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1828-85-0x0000000002F30000-0x0000000002FB9000-memory.dmp

memory/1268-108-0x0000000010000000-0x0000000010030000-memory.dmp