Analysis Overview
SHA256
388849ff698162b1d7e8b555b67b6d3ad4b53709ee002e1e40f5c77b2319a368
Threat Level: Known bad
The file 202409163502350eba54b4ac640a8748470ac2c0floxificedid was found to be: Known bad.
Malicious Activity Summary
Floxif, Floodfix
Detects Floxif payload
Event Triggered Execution: AppInit DLLs
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Loads dropped DLL
Executes dropped EXE
Enumerates connected drives
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-16 06:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-16 06:23
Reported
2024-09-16 06:26
Platform
win7-20240903-en
Max time kernel
143s
Max time network
124s
Command Line
Signatures
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: AppInit DLLs
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe
"C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 85A452510E17DD5EF520C4B7D4A7A0DF C
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4C4A10BF-425D-4B7C-8B12-32166638C386}
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{18B8389A-C3B3-4E3D-A252-8B6B91404E10}
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A00FFA7F-14C7-4B2D-A36C-06ECD438997A}
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60EA909C-3195-4FC2-AAA6-B0FF8B297504}
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{252619CC-2A9A-4CF4-814F-CCBB486E461A}
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C34588C5-CE8B-4D7B-9742-6DABDBC0036C}
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{927A3BD3-B95E-467B-BE62-E6634793B792}
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C74D619-0863-4B00-A84C-A09D8663298C}
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{668DF810-6DD8-41F8-A6A5-B1F7C08723D6}
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{14CC40B7-1661-4EA3-B8E8-6DE3E77DB058}
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D4BB87AE-DB87-4B55-9A7A-06699E00620B}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
Files
memory/2628-21-0x00000000027C0000-0x0000000002975000-memory.dmp
\Users\Admin\AppData\Local\Temp\MSI84D9.tmp
| MD5 | ca189a2b762e64d61303bfd4d88fd0a6 |
| SHA1 | 13bf55664fb0345d3931458f75b6039c1213f46a |
| SHA256 | dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a |
| SHA512 | 31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf |
memory/2628-18-0x0000000010000000-0x0000000010030000-memory.dmp
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/2896-14-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi
| MD5 | cde633c7be2c8db52f0922f8a8e0c613 |
| SHA1 | a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f |
| SHA256 | a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5 |
| SHA512 | e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b |
memory/2828-11-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2828-9-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2808-5-0x00000000004AF000-0x00000000004B3000-memory.dmp
memory/2808-3-0x0000000010000000-0x0000000010030000-memory.dmp
\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISBEW64.exe
| MD5 | c3b2acc07bb0610405fc786e3432bef9 |
| SHA1 | 333d5f2b55bd00ad4311ba104af7db984f953924 |
| SHA256 | 9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894 |
| SHA512 | 2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd |
\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\ISRT.dll
| MD5 | a93f625ef42b54c2b0f4d38201e67606 |
| SHA1 | cbfebc1f736ccfc65562ede79a5ae1a8afb116a1 |
| SHA256 | e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0 |
| SHA512 | 805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198 |
memory/2628-45-0x0000000003050000-0x00000000030F7000-memory.dmp
\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\_isres_0x0409.dll
| MD5 | d6bbf7ff6984213c7f1f0f8f07c51e6a |
| SHA1 | cfe933fc3b634f7333adec7ec124c14e9d19ac21 |
| SHA256 | 6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2 |
| SHA512 | a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d |
memory/2628-48-0x0000000003390000-0x0000000003419000-memory.dmp
memory/2808-65-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2896-66-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2808-67-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2628-68-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2628-72-0x0000000003050000-0x00000000030F7000-memory.dmp
memory/2628-71-0x00000000027C0000-0x0000000002975000-memory.dmp
memory/2808-75-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2808-82-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2808-89-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
memory/2808-98-0x0000000010000000-0x0000000010030000-memory.dmp
\Users\Admin\AppData\Local\Temp\{27359090-3999-4076-BBF5-7D9EA3BFC498}\_isres_0x0409.dll.tmp
| MD5 | 5b5f5d71be88f01ccad4c33ed6f4088e |
| SHA1 | ee6db4b5ae5eb7ecb181c30319aa311075fc0551 |
| SHA256 | 931fdc6fd31f4f09ce83a577f8026298a7b2798186591270413fc2ffb1d3a733 |
| SHA512 | b8871eae16a915e603f85702dcf7e47f3a9c95537cf5c95c809bbdfb826f072d4ea10fb4196e225f522f555a42561d096ef360d44602266a587af19acd0a9df5 |
memory/2808-108-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2628-115-0x0000000003390000-0x0000000003419000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-16 06:23
Reported
2024-09-16 06:25
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe
"C:\Users\Admin\AppData\Local\Temp\202409163502350eba54b4ac640a8748470ac2c0floxificedid.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding ABA376717A6C3CB62EF18D358F1FB849 C
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E959833A-2569-4284-A88A-E4A83CDD237D}
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F1C6C1D-B77E-403C-BBFE-2CB8A2409049}
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CBD9F287-F073-4F52-B9B1-B82647454F9A}
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2C8E7B83-066E-41CA-B3D3-AAC4FBACE4E6}
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1AC4C141-36CD-4A10-BF0E-61FC6AA5BAFB}
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0DA8C4B5-04C0-48F5-8E6D-85FB4E0622EC}
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F8D8889F-722F-4256-BA42-95DDF3010CBA}
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3CA4D51F-6F42-4466-BCBD-582D1F187A37}
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AD4A2046-A0F7-489B-893B-14335342EB7B}
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06418C24-ED8D-4EBE-9E8E-E95100B38CFB}
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2F4DDFC8-7887-4597-A6F6-ABF846997D88}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 183.23.33.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
Files
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/1268-4-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1268-6-0x00000000004AF000-0x00000000004B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi
| MD5 | cde633c7be2c8db52f0922f8a8e0c613 |
| SHA1 | a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f |
| SHA256 | a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5 |
| SHA512 | e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b |
C:\Users\Admin\AppData\Local\Temp\MSIB788.tmp
| MD5 | ca189a2b762e64d61303bfd4d88fd0a6 |
| SHA1 | 13bf55664fb0345d3931458f75b6039c1213f46a |
| SHA256 | dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a |
| SHA512 | 31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf |
memory/1828-17-0x0000000010000000-0x00000000101B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISBEW64.exe
| MD5 | c3b2acc07bb0610405fc786e3432bef9 |
| SHA1 | 333d5f2b55bd00ad4311ba104af7db984f953924 |
| SHA256 | 9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894 |
| SHA512 | 2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd |
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\ISRT.dll
| MD5 | a93f625ef42b54c2b0f4d38201e67606 |
| SHA1 | cbfebc1f736ccfc65562ede79a5ae1a8afb116a1 |
| SHA256 | e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0 |
| SHA512 | 805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198 |
memory/1828-41-0x0000000002BC0000-0x0000000002C67000-memory.dmp
memory/1828-40-0x0000000002BC0000-0x0000000002C67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\_isres_0x0409.dll
| MD5 | d6bbf7ff6984213c7f1f0f8f07c51e6a |
| SHA1 | cfe933fc3b634f7333adec7ec124c14e9d19ac21 |
| SHA256 | 6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2 |
| SHA512 | a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d |
memory/1828-46-0x0000000002F30000-0x0000000002FB9000-memory.dmp
memory/1268-59-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1268-60-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1828-64-0x0000000002BC0000-0x0000000002C67000-memory.dmp
memory/1828-63-0x0000000010000000-0x00000000101B5000-memory.dmp
memory/1268-67-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
C:\Users\Admin\AppData\Local\Temp\{924AD6BE-6AF4-4830-9DEB-BA04DAA39263}\_isres_0x0409.dll.tmp
| MD5 | 8c2d93af496f0f5d2a6f2062580d6019 |
| SHA1 | f836362119fec91dd7578977f426d6f018e92902 |
| SHA256 | daef4e35d519332377a58ab1e4d57177d8de13df0700941870a60990181e33f0 |
| SHA512 | 352e9e6b4bd161d095ff67c231a8b11cce566611dc590116f54318a384f344ef8644d727e5abcd50561648c9c1cc91b0763c60ed64d00b00bfb7d5a92284b53d |
memory/1268-82-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1828-85-0x0000000002F30000-0x0000000002FB9000-memory.dmp
memory/1268-108-0x0000000010000000-0x0000000010030000-memory.dmp