Analysis Overview
SHA256
5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8b
Threat Level: Known bad
The file 5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN was found to be: Known bad.
Malicious Activity Summary
Floxif, Floodfix
Floxif family
Detects Floxif payload
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Enumerates connected drives
UPX packed file
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Browser Information Discovery
Enumerates physical storage devices
NSIS installer
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 06:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 06:07
Reported
2024-11-09 06:09
Platform
win7-20241023-en
Max time kernel
119s
Max time network
79s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe
"C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.33.20.235:80 | www.aieov.com | tcp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
| US | 72.14.178.174:80 | www.aieov.com | tcp |
Files
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/2616-3-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2616-5-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2616-10-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2616-14-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2616-17-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2616-20-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2616-23-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
memory/2616-26-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2616-29-0x0000000010000000-0x0000000010030000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 06:07
Reported
2024-11-09 06:09
Platform
win7-20240903-en
Max time kernel
78s
Max time network
16s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 244
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-09 06:07
Reported
2024-11-09 06:09
Platform
win7-20240903-en
Max time kernel
75s
Max time network
75s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VirtualFDD.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 509556b06d32db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437294298" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000010533f58b07739e7babe61558b7289c39d83b6e0ba423dd975eb8a547444fd5c000000000e8000000002000020000000f9bcecc8ed79d32dec14114eec8aafe7c31655ced9b867a573e180662e941bfb20000000f99d25056a2284f890111c6631f25cacb7eefc9ab66cc5fd9296643339c16e344000000034151337cca73eae269e87b403d2dae90be00456c3268a7bfea7b32b16a3e95e1e882f22355f2211c25ba43e8c832b60538305a1c0153e5c993ff60948f9c486 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000004bb8b49b97d8dda5f738df05e0945ed372f22876cb99faa8ea14d855b7fa9a54000000000e8000000002000020000000f27a678b5e508201711fc6c6f217930f6bcdb822672fe1f3199edc4a199a6c2390000000b6803edbbe2100300fa3c94679784c49610221786c02a7500a6b631bae63bc0ec14fa63a2e36b00d3b850bf80add9eab49ee59a59b1cd0b08ff8bb3dc9fbac3cef1927ca42b710b9e5d29d7347710218cfbdf6312223868d12b9604ce9798fc239e68d601eec27862832f32beec67232e3991920a648fdd74f92ac27d7fba3f99c87da3de43aeca3a418c3941ba66eb8400000002a2a8a82e952a44d85128d33bdf1e7372aa12b446f67c20f3ecc0bbf42ab1f4e7e955fa0f9b2e66b1b0f14c7ef019b04213f0699b60d770f60dffe6936fb9297 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB504A81-9E60-11EF-BE3F-EA7747D117E6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirtualFDD.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\VirtualFDD.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualFDD.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.virtualfdd.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.virtualfdd.com | udp |
| NL | 37.48.65.148:80 | www.virtualfdd.com | tcp |
| NL | 37.48.65.148:80 | www.virtualfdd.com | tcp |
| US | 8.8.8.8:53 | ww1.virtualfdd.com | udp |
| US | 199.59.243.227:80 | ww1.virtualfdd.com | tcp |
| US | 199.59.243.227:80 | ww1.virtualfdd.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab7D7C.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar7F25.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 958871d3e07d9f1f29e8da1746c478b6 |
| SHA1 | f56416e4ceaa61b10fab03b0c41fa0875780de65 |
| SHA256 | dd69b41c52e49f8afc7e8a3e129a4cd275d499cd948b2b0fa0129afa04b5fa23 |
| SHA512 | 5b003896c016ad8ad95eb1fbee714b6779047cda358a60d65f047558bc52c6be550005675d7842983461e1a2cdb965e985d8b3db47eb19d26cd46f7411d92998 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b8bd8bea0c8d81c4fbebce85ce92153 |
| SHA1 | b910516b516c52d9bb20b22f11fe5e26a6be22d0 |
| SHA256 | 96e756d50e528941f38d0a7e1b89f870e2ae5897e9b2b217e955abcbd90a26a5 |
| SHA512 | 0d004078c23b49c54a65de3501325cbedef675a0a306619fa6fedb7bf5cf4c40fa48d5de55f28a26249608a50d94af67c711aece47fe1535f70fc1127baf851c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9adf5cc6dbf8acb46e6b513cdf0dd87e |
| SHA1 | 2d55eb5d41e530efdf0136882b83ded6e04a4abf |
| SHA256 | 1e219011f5bc1d085fd3eefd007d1af0611ffd81e5e0056d63ef126944688e3b |
| SHA512 | 712acc367c3143d161d3eecff571032b5c89303a30b197d37cc0d49cd53571d3d5dc8ab5704af84cfe7842e8177aa5870575891e4dae5011a06ab82fa2341d3a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2dccb4a2242aac87696f6abd3778202c |
| SHA1 | 24f049eda903b74a43bb759e0a62b9be47ec94f0 |
| SHA256 | b477561ca2a82c2aa80cda2d339f624482bc501cd22f8e4501d0c79e3fd6e4b9 |
| SHA512 | bdf08e7da8ab29298159dcba0030d794127578135ac3dcb1c794965a4b16c5ec226803f52387ab3903d17136ee6e609b16902fbe2ff2f1d98603914e0d311927 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4df614eb5bc916becd5c0c5b70d285b7 |
| SHA1 | a9f026f794e2d6049c8bda9366a3e32fc5b3d8d0 |
| SHA256 | a4d0dfe60ad9e1f29cc803f871a4d9dd8d479b1bb66471c9bc6a81cfe3a9a0a4 |
| SHA512 | 7143cbe55dc477a7f050e0c43319a28cc8dc5d956a64bc7a7a6e73c87f50708b81b2868fc80c785df62c3ceda7267af03e62cb000b1882850753053f82bf0187 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97a5c11f01f8876811a16986da41a3ed |
| SHA1 | be5a2201ba821caf3e1343970315c8a91a926660 |
| SHA256 | 15e6e27f4c74772c2bb6cefa0eb2c1263a84eb9ffe87dca2bfe85dd03662440d |
| SHA512 | 272c4faacffbf0d38cf64a745537d095026cbe813fbff0edb9a537a03a579a8cd9d23f95d1f521aaab61e5ede33e8bcdcb90669358ba4f70ecfe22c27f6985eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93061a1a6fc8a69cd8d92f6107021c14 |
| SHA1 | 179f97fdbee2c917e30719f9287f7193e0b2be8d |
| SHA256 | cdd5d4b9a5b69bbafca77c1108024f2ad3e3334755cc1e30e71651cf4f2b515d |
| SHA512 | 42c0b0262049ed29f17b18e88407f9eb0403b44b58f61ba27e7f124247d30e7e3addec55b5cfb20570f53201e64e989fb4c07f0a9ec8727db7bc6a91c17c5197 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6769dd9040454a03363f05b13febb007 |
| SHA1 | 1c6e2937bec979222cae4d0e63f86b57f63685f3 |
| SHA256 | f49655485658b9ba6fadf1629aac4dd5c89d2733548db8565be02b6cbc12caae |
| SHA512 | 7988907567c737cb177da45b7267a767c86319be18bc52c205f377d9ce9a1003db28fff978468b02b311990ab0cd781b5399df3d9860709455fd0b0850627a55 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 089e8de24c4916901800f9b40133b4d0 |
| SHA1 | 84e8ba38d54720e13b69dfb6b74e058f53d66faf |
| SHA256 | bde82737106f8aef4c05c5fd947eed741da8763015f1fd85e36230efb64639ee |
| SHA512 | c63a5eb6c809f0597d6ad27f8ebc58d0931acfc83aa6a86819fb1dc5dc918349c8f523069acebb78c9d60bb980fd5bed311c9bc1b5a601b3d08671d385b7b945 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ac9e2b0239e38eefcde69a343d83a3f |
| SHA1 | 827ff38ed8bb1afd5722e21161d9c6953cbd24c6 |
| SHA256 | 247b96d4327e919f2a22cee5df3cd44dc2ce3e6fd9ddb66392fc9506a1e266cd |
| SHA512 | 306eae4fd4501471f2e6f1c1d0784a239c07c6517480aa65992c5f3649bfd136e6bd37573807742c784a2a9051877821914f240b3a14afb254bf64113aa17c55 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-09 06:07
Reported
2024-11-09 06:09
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
111s
Command Line
Signatures
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VirtualFDD.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirtualFDD.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\VirtualFDD.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualFDD.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.virtualfdd.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2ef746f8,0x7ffd2ef74708,0x7ffd2ef74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2618470240476834117,5653317622499083099,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.virtualfdd.com | udp |
| NL | 37.48.65.148:80 | www.virtualfdd.com | tcp |
| NL | 37.48.65.148:80 | www.virtualfdd.com | tcp |
| NL | 37.48.65.148:80 | www.virtualfdd.com | tcp |
| US | 8.8.8.8:53 | 148.65.48.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww1.virtualfdd.com | udp |
| US | 199.59.243.227:80 | ww1.virtualfdd.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | syndicatedsearch.goog | udp |
| GB | 216.58.212.206:443 | syndicatedsearch.goog | tcp |
| US | 8.8.8.8:53 | partner.googleadservices.com | udp |
| GB | 172.217.16.226:443 | partner.googleadservices.com | tcp |
| GB | 172.217.16.226:443 | partner.googleadservices.com | tcp |
| GB | 216.58.212.206:443 | syndicatedsearch.goog | udp |
| US | 8.8.8.8:53 | afs.googleusercontent.com | udp |
| US | 8.8.8.8:53 | 206.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.16.217.172.in-addr.arpa | udp |
| GB | 216.58.204.65:443 | afs.googleusercontent.com | tcp |
| GB | 216.58.204.65:443 | afs.googleusercontent.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 65.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c2d9eeb3fdd75834f0ac3f9767de8d6f |
| SHA1 | 4d16a7e82190f8490a00008bd53d85fb92e379b0 |
| SHA256 | 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66 |
| SHA512 | d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd |
\??\pipe\LOCAL\crashpad_464_GKMPBEGZJCKBPTTH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e55832d7cd7e868a2c087c4c73678018 |
| SHA1 | ed7a2f6d6437e907218ffba9128802eaf414a0eb |
| SHA256 | a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574 |
| SHA512 | 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ae03743cf43d4fa7242d0c8a88d24054 |
| SHA1 | fc0311499facd644a135bd05defd7143a00e6b80 |
| SHA256 | a95bfb597b268ce6cd588a8ca8ddf3c4ba506da2505b92709d8412b559e739fb |
| SHA512 | 83574b79d9e0d9dff897f0d076d3628b4918ef75a1f7e0ce143809f31b80ebd5a055c6b990586e2a7e7519bb8d24d0a76fa6ed6f443707d91c94b9fc4b9025c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d631cb3c3e9bd49ba42f04e4cd24d635 |
| SHA1 | 69b0f74652d2645dcd407162077d7180c1b67ab0 |
| SHA256 | 92f817c88f2c04452c29cde8c4cc7066e33eba636846f26492fd4b30b8c63ea9 |
| SHA512 | e7ea3f8f2fcf1f08fcb130b80c86d05b5ddde683c618c531e3d3425262e9f9493a219095561e196e7cf0a18b1b45621c187aa9be88846310791e83857f461e3d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cc6299d3bb6b923e854d7893b6800965 |
| SHA1 | 6353c20bc0de8cdc146257f7817780bc54ad9db2 |
| SHA256 | 305ddbc1f07465a5f5e03760f8686b613f8c63ebcdc5fbc35d0abab9810f6737 |
| SHA512 | 71b4c4c8a0c0b6c913fac5bbcf7e6129b641a4e249709f41cf6e720201518460c25c311973d4047b76d5ad35ff1b40936c969c283645c18381dd1732110f29fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | ce69e84cc44292eaa6025536f64052ee |
| SHA1 | 44b7ef1805ca85791dfaab8edfe1fe08b8bdcc1e |
| SHA256 | e48dee6aa4d0954685dd606dd1143112cfd5c55ddc78820b8888a5da2f375a0d |
| SHA512 | 755163b3c8774caf7d784110a75f0f16aeed6e1721922c8b9f20645ae6be48806135d3595baf49976441ca62393aa0f5315134a359e46cdd9c273e7da147e737 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\539d9752-bcb3-4d7a-af07-36f0a4536af0.tmp
| MD5 | 0ec3cc8faabb96be0aaeed8b56c66525 |
| SHA1 | d4cc9e7c2e3aa82ed6568b3b6c3869f12649cc74 |
| SHA256 | 8614027f1c27dc319d8a0e02cff43b5f5e9e986fb7ea6ed14de1767392951208 |
| SHA512 | 672e834ece6065868fc36c4072cb6586477546b4b0783a01a0eec0c83f7e1890c54d5d24ba88980477ef683ecffec39eb35d59d47a7693ef7c7acb9152fcb206 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-09 06:07
Reported
2024-11-09 06:09
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\uninst.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uninst.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2660 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2660 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2660 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2660 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2660 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2660 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2660 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 264
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-09 06:07
Reported
2024-11-09 06:09
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\uninst.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uninst.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1992 -ip 1992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 456
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 06:07
Reported
2024-11-09 06:09
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
95s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe
"C:\Users\Admin\AppData\Local\Temp\5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.2.33.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/4880-4-0x0000000010000000-0x0000000010030000-memory.dmp
memory/4880-6-0x0000000000403000-0x0000000000404000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsb706E.tmp\ioSpecial.ini
| MD5 | d82d41a8a348ec0403b04a929e74c2bf |
| SHA1 | b77c228c46346d07dd7a7e8da0590658897e8f5b |
| SHA256 | 1a39cb8860f7a42c54ff227ccc0da63980938ea39aabd0492d0ae0e460900c02 |
| SHA512 | 14f1c9ea160f0f9bf27c654bda3f94e0b71b5c8e7889b1dfd7e10d3da85f4e8e4e2eeaacfb31d448664a325a390833149579d26a99c9b6433c0bf44038fa450e |
C:\Users\Admin\AppData\Local\Temp\nsb706E.tmp\InstallOptions.dll
| MD5 | 99bc22826a0568dce241be3a4ffd0c0d |
| SHA1 | 62e4662250abdf10d23a61076fd7cbd00a5c5b6f |
| SHA256 | 120e4fac0538b7e7b75934706668063a4e7785d0405dca43fde36d55f6d968de |
| SHA512 | 35b016b6e2dc850e5432becd57f35faf73b180c0a6f822a406cf9d5439a87126c41c49aac025cdeecd38bbd01705ddbd8c217cb33134e978ecc9624053b52be9 |
C:\Users\Admin\AppData\Local\Temp\nsb706E.tmp\ioSpecial.ini
| MD5 | 902604958d262755b8a27b8db2051758 |
| SHA1 | f473c2711d3b9150383e813ae3a8e750a34589cc |
| SHA256 | ec4b56945c263b02180e8600e11a0e3f630b31f8bc43736b4c9b055c9c948536 |
| SHA512 | c9e9928c3de5fbdd7f6259f5437cd76975aa1a221cc7ea0537da71206a51f37e3a029c2b3ca1042bd6cc262dd276e44b951e2ef46bc94e84fef0c310661c5d82 |
memory/4880-95-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4880-98-0x0000000010000000-0x0000000010030000-memory.dmp
memory/4880-99-0x0000000010000000-0x0000000010030000-memory.dmp
memory/4880-104-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
memory/4880-109-0x0000000010000000-0x0000000010030000-memory.dmp
memory/4880-115-0x0000000010000000-0x0000000010030000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 06:07
Reported
2024-11-09 06:09
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5064 wrote to memory of 2884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5064 wrote to memory of 2884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5064 wrote to memory of 2884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2884 -ip 2884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |