floxif | 59e2872672c858df6dcfb606109c1e95ac0d8333580fc5600156965c8abd2ad1

Analysis

max time kernel
142s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/12/2024, 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Size

4.0MB
MD5

aec4b68ffac39a68dced030a07bfde7f
SHA1

4360289f45f613e38e9e1f24f21ccf829e9b5762
SHA256

59e2872672c858df6dcfb606109c1e95ac0d8333580fc5600156965c8abd2ad1
SHA512

0544706701d10337ed4f74e2573dc82973d0e5343c53018ce7c688d97b041f0f40b18087322d619cc6ac9615b7bd26c365ee74caea6eb8f4a7706d99c0cb623e
SSDEEP

98304:YhJXr+RrhCBP8TWfAGRke/1iACNdCNRPK2b8TP:YzXixkBPAWlRkeYdChu

Score

10^/10

floxif adware backdoor discovery evasion persistence stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000a0000000122ea-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a0000000122ea-1.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe /onboot"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122ea-1.dat	upx
behavioral1/memory/2112-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-11-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-21-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-692-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-741-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-746-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-752-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-1204-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll.dat	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000060416888a78c52438b3ef71448cdbbe9000000000200000000001066000000010000200000002ade5013c9d2aa9d39fd326f493d82b869c61d90747d7d18382fd21878998a1c000000000e80000000020000200000006468eb6e7e708e948791ed1ab10d437e6bdfcc4511b404e004ea5c262f940a6d200000001de6f7bbd1b97f156c2b1888fa65a97e039efd591ba72f588c2fc8930bf7035540000000f6eaf6e572e8d05b3674fdbdd91b2deab28ac64ac88c870ef9bfa7d6e51920fa74f6f857bce1b2f6f95acb9b2646b6749cf17acb1ce55bd096b310b8861f2168	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000060416888a78c52438b3ef71448cdbbe900000000020000000000106600000001000020000000dad51c2d505f92c504c557b92532a4d3b83fb65ee095576262c773d221d99f41000000000e80000000020000200000002d4934d98447d608f983afc4bcbcc710b7820093fea5ca1e842cb5ac3a9225a5900000006494cada6e75ab16ae65a187ebeac3d68e1165ef5376a01d5279eaf1b989f317459fb5e2b6931d6ecb1c2408186a42f3738f2a2beb09c77aa3a4381e9de4c35834c7659443e42bbfd37ae44c4e0cd8d24c81861e96fb4376bd5dd609be2e75386b4561114f520cfc0001e9a4155338cc27f38bf4282a69b325a54141f42a6b091bfa665878c5b000702501e29e8ee2f940000000ad7abcdf57c597ac9b057f4dec9db26f0f4c97bb312fb71e31a85249325e07a8214347a18ac170f2a011ccb5091a299efab18d5c5cb1faf739b24649d4194f13	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetAll.htm"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0db2571764cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A7F0051-B869-11EF-9C5B-523A95B0E536} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440156785"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "346"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
Token: SeRestorePrivilege	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
1564	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
1564	iexplore.exe
1564	iexplore.exe
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3008	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	32
PID 2112 wrote to memory of 3008	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	32
PID 2112 wrote to memory of 3008	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	32
PID 2112 wrote to memory of 3008	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	32
PID 2112 wrote to memory of 3008	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	32
PID 2112 wrote to memory of 3008	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	32
PID 2112 wrote to memory of 3008	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	32
PID 2112 wrote to memory of 1564	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	33
PID 2112 wrote to memory of 1564	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	33
PID 2112 wrote to memory of 1564	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	33
PID 2112 wrote to memory of 1564	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	33
PID 1564 wrote to memory of 1860	1564	iexplore.exe	34
PID 1564 wrote to memory of 1860	1564	iexplore.exe	34
PID 1564 wrote to memory of 1860	1564	iexplore.exe	34
PID 1564 wrote to memory of 1860	1564	iexplore.exe	34
PID 2112 wrote to memory of 372	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	35
PID 2112 wrote to memory of 372	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	35
PID 2112 wrote to memory of 372	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	35
PID 2112 wrote to memory of 372	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	35
PID 2112 wrote to memory of 372	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	35
PID 2112 wrote to memory of 372	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	35
PID 2112 wrote to memory of 372	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	35
PID 2112 wrote to memory of 2368	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	36
PID 2112 wrote to memory of 2368	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	36
PID 2112 wrote to memory of 2368	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	36
PID 2112 wrote to memory of 2368	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	36
PID 2112 wrote to memory of 2368	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	36
PID 2112 wrote to memory of 2368	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	36
PID 2112 wrote to memory of 2368	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	36
PID 2112 wrote to memory of 2004	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	37
PID 2112 wrote to memory of 2004	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	37
PID 2112 wrote to memory of 2004	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	37
PID 2112 wrote to memory of 2004	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	37
PID 2112 wrote to memory of 2004	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	37
PID 2112 wrote to memory of 2004	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	37
PID 2112 wrote to memory of 2004	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	37
PID 2112 wrote to memory of 1400	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	38
PID 2112 wrote to memory of 1400	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	38
PID 2112 wrote to memory of 1400	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	38
PID 2112 wrote to memory of 1400	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	38
PID 2112 wrote to memory of 1400	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	38
PID 2112 wrote to memory of 1400	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	38
PID 2112 wrote to memory of 1400	2112	2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe	38

C:\Users\Admin\AppData\Local\Temp\2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-11_aec4b68ffac39a68dced030a07bfde7f_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.internetdownloadmanager.com/welcome.html?v=635b09
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1860
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:372
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d48ee794a5428e1eb9b9e745b29abb9e

SHA1
1d121c8adec8c3d64e18a7c6d863a0d3ca05fdbe

SHA256
5ba1fc7b442729b00607f1b748ac2f13659dce4b2d11b9a84ac165c58f033968

SHA512
3456f6979836729239885b3886ce90cedc48eefbe558259030e956af8da934cc0a5dccd32f4e8528060a464b5ac0b1cdd0fe1274c9e3c61af6ac1fa0ba24f9aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0f2627c428b1daa7166b62a562143ef

SHA1
465eba2c7ff5579d0207114443c566f87199608a

SHA256
549974c203cb844380b825a48a8a20e84d668c443305736174a7ac298bb7eee0

SHA512
5546c22fc0219b5072c1fe2b8b6f4896b3c69143c36beefe961675c61d3248c60cde35d308b17c73b0d3fc3dc3499fe56a3fbf976a61478958342129fa8d41c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48b785460aa42b7281a7b9d8f5952ddc

SHA1
489217c2bec74c1a3878cffa8bebfb141d349340

SHA256
007c8ebded1cb29f6431d069a2436b73dc5076591363a2b69781e43dbbd8ec9e

SHA512
336e262d5df2570e86d9e743308ba343c22f4fc88767b89c025f957f42d852cfe594d6f8684e9a0f3785b284e49af7e9b7e64d75220ec8c1207cc1c5cb4d1cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f0e1d276d978d37fbe227cfbfe8c064

SHA1
81e2ed01b4752079e49fb10f70adcbf5b74e8e92

SHA256
05df5f54d5453035fb892d6ba2e5d0eb8ca8dd7ea1a8c891d0858d61ceb988f9

SHA512
d4ee65ed96508cdf5179acc561c52e783e9b2aeb84a91ef8424dca1db77428eb754c8387df74e2ced38cacd43478f548b44130ee948876ecb5ac184d1e5012ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ae2d007793834a769bd257dd0aa9a05

SHA1
e08f40964de72f8a1d3a5baafddfc01666380324

SHA256
ef1c3ae72d4264399140e609d2bcbf58762451a5663151c4d460f9d43b94983b

SHA512
838831d18265f12fc956580a8f3576d88506a7490f2e1bab0a82b305270ba2f04b97860112d96c369498cbc05d0559460e97ec50043142d0819306c82e13227c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9ac579e18395680614e5af1b7dd8990

SHA1
2a2d383c45c171057b2e7d4ff110f2284e078032

SHA256
cdff4b87bf25fc8965f7fbf317822feca546d663882da259780a8b1b70aa5828

SHA512
2bc23544fcf4bf7c714246f69c20c829d3cda8a89ab9a3edc154e4ba0dde9942157dccd80b9ad578731e991a85c76329bf3a09a1e4cf64a8960d7ba1ca6ad6cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a188a271484d3f9b16903ed32a65a8c1

SHA1
be12cc4ebc27fbf29c5ecadd8714ddc20657209e

SHA256
e2d72c98f4395e8f5630d1bcf765c65247b9d6467d62c7f0cb4e816321a1f3e0

SHA512
158bdef344d82c2fde0eab3dea832d84684124771d4da9553c117e1dc9134cd2e73a4f15f6e84d909af2bcecfda7099848188e7706c5ce96d2a3762f7393b041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4947784ad32cc2730f11879b11070041

SHA1
b17a5159e1f1e0edc0e0dff2c1f3c6737ec9a53b

SHA256
c96fa14bfaf7110464ccc6fc437f9d6e66902cc1025db31a3e1047ed101ca60e

SHA512
1d5cbffc778dc0a336d5fcb46919e4d3da42cca2520ef97f8ff19e04d7a3652cd46386e7332c8c0aad3c812f99699d7d0a74c24ebd76dc770a82fef36d0d51a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c0e837e3c62713172fa5eb8782f1831

SHA1
aa86cfb52da8134929442a86f81039c50b876f47

SHA256
a3f861f07158ccaebb365cd904d30605fa5c501a4bcd9b13900865689997a643

SHA512
f2f597c407c02e4b4e286b88da51cbcb42942d2107ff83b2cab6566ea2185087a6cee909c93682737130974608e2b05123b31eeceef4d8f0c7eb812f219f2e1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ba0cc367bab14dadc2bd55e49a8248c

SHA1
93f466f6af62ac24b581534b47b357f6a4e67a01

SHA256
754d916311ee76d75add4736ce2e7133a8ec295db33ec2814471ccfa2add002e

SHA512
779342df39a50195613e3cd5ab913419c7b3220ab983e33b18001531593661ca19808015b4c1873b82e3e5445d68c390f3e39ff94dc340df81335bd83c34343d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84f0774a4ced2cd2062d95ab65b4cf2f

SHA1
4e7a3880a395487e77a77052dcffbac223e571d0

SHA256
5147514f137e82a3ce817260cf5bdd9e80a53cc41990df969a1571593e2d3db3

SHA512
f4a03375ababfea3fa94c9ab79e242472d4006d1da538024af1d33fc52e148db0d170900846f43621494a77e7491f34a4aed0a986f8b64dde79d2689b8e19486

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c8275bedbab578f724894dd2c5ab9ce

SHA1
3a54c9bd9f8c9fda5889388f2c63b5287b79194b

SHA256
be7bf15aabacb014449f61e2a2b39b068ce7cd1074871894197c6a58d8bc2232

SHA512
fb0071b36667be3c70aa58852e6acc69ade1815bbd026e507c79ccabbd7a39b7e321a246de478b8840a7e388a9d419dbadaf577f1e0b008199ac1ff8b56ed915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03d689860617193d0f1b8522044fd5dd

SHA1
7f0e44bc0c01efa29d2bae47f656348a5fda7134

SHA256
ef3f9fa2abdb3b244ae90212fe6d461479ce085c0574882d96ce0659232d82e8

SHA512
d3da9bcb5c3ae75f5f974c71cf96375c37a507a42cac4a332a0cb7f0fbae902fe6169382726a9dda213c0bf3732dfd8d84ce0bc0a127312ce47df9ef42dde22a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ee5368557c05ab97869d550b655163a

SHA1
4e5b47ed5ccf5b5d4b4df70ebd3ca12a111fb88f

SHA256
c7e281eb2c98272c5131c710cd146ca26310f073437498db4dd1af5a9a88085e

SHA512
f436de76ca283abff1ed6c3b69375fe8d643e6d41dd7e068f5c962afc6f99fd0c54c310747c80428b3cf75ab93a05c57f93927ef83fb9e21537a83f91b7a72d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbcce03fa52f495d4c373e2a660706a6

SHA1
ab24eabc558789d6ce2b927407ce8ac44259c256

SHA256
b2519efc2527848c3e5fc3602871a234096d124b1364e06352178c425dea26b5

SHA512
04dae3705b7eb8023623f14cb900147742c1e6afea97dea9b22222e8b6f97f28970144450f0cb08a2df4009c675cd30d8aae0ba2bd68b1b36912353b2c7fef9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3e7e20e67a33f407976ba49f094a514

SHA1
101bb099784310c15311a473eba98d5a0e3e894e

SHA256
8da7868a14ed73186fda1d87f7c01de150be3ea8b35a8602988cfb1e03559e72

SHA512
de10b75ecae8008b819cec3150231e697e6264b06dafb89f980f75f17adc93457d4987a237f3c788dd75c4c02eb09b724a57df6004fa95bf2ffb1f016cdd59c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
774353e90fee6b91736cf77af4a04479

SHA1
d9350229319d15b21b314840c22164a409657b65

SHA256
beb927827e24d3a6836d8b1193fd69eb11840f3e2e49d423b2813f2b1d1ea270

SHA512
61f4dcf94e5f1b06827093fd54b3bbe349dfac8a414df31c66e567d67cbc4dc6fc1cc8fed0de5054a1b95e4cfcbc7488944366fd49bf62faf4162cf0ceddcee4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
524d2a9b207472326da05c5a42c1c973

SHA1
79e56e13c57239f889a623c399b2b64881bd117c

SHA256
73ccda5c4930f2f828b87dc774b0feea18f4e1572591583bfb22d64aa79812bb

SHA512
c7212a6269cd3c28a1ec2e127499c6dc0431a0eda32f9ac757a7b76365b04113d5e5e8be637d1925b7dfc4baf7d0162dad243443934d807bb28cedb63caf532c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1e857b87d0411af0dc34ea46e00b404

SHA1
201d764fc3dd8f430f57e4500fcbae6d349d44e2

SHA256
b83e0ea2e0751c0b39dbe05811253ae80d51deb6bfeb0e1a4d155c2909af9d63

SHA512
0205a072e452df1fbb2ebc99abf4653fc1604d7b02c5364a11d97b26f7ce269e233acf28aa2f7e3fdc002db49902a61e9a3e50b9f308c7f02d18db7299ffb6ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ed83d0196b561eabae02c65005dd173

SHA1
3b57170d574ae32f295f09c2b67f0e88e583760f

SHA256
ddce86789460dc8d89953c7f589a812630faa3d1440624fbdccfc1184b693e2d

SHA512
ece96dbc864364efd488794045944ea96ec4b7f7c30746251ab4db2368834a0eeef766f55e28e721a35155c3c935ee766f8b2758ddbac38a7863fb3fd88bdd66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
621e6d41a300c7fd53d2a18314811b1f

SHA1
c5d87779eae603685247fc6fa22ac4e69735957f

SHA256
1453dd9ad0438200338a593e807579fa59a462f6ecf2e4f15fc23753d1e857cc

SHA512
7b5e0c516751346efb22632a67ff49f273a29d8c96b10b000281c3853b27b14241d6ab42a3489406a64c4ff21d193b595cf5c5937bb6c7de1cf7c53468cfab78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4829.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar483C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YFG12VCA.txt

Filesize
102B

MD5
994203ad711e250c0161b4fd9e3433b8

SHA1
1f14342a00ee26c846550fc0503725e360679318

SHA256
57e55ebd9693dfdf66cfd0d6bf544a58a1a0a88a05495271c4c2170386babed9

SHA512
60ad31c31fdf080bd2cab24afd6097b3e08b779d400e13ea11058b477a49330c6d3baef634acc3250982a1de55675ccef57ec14e693884d6cdf3399d93ef1464

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
5c2ac6a194eeae497ca5d7997fe3c904

SHA1
7e2da0308f811d674a10786c185cf405ce186e72

SHA256
e18890301f9d32c77a7234f1012f7e92d63e163bb262d67e0a94739007bb4e74

SHA512
645c0b6bbacf91fa0d93bcd8b77a2732ce96fd3e13731ff36c774beb7eb8cfe3c2bfea7c355991b5ecd07da0129afb6076315843ca4eebccf1a568f8a31e1b66

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\3D7DAA0840.tmp

Filesize
3.9MB

MD5
12c938e554df25f111d6496b803b63d9

SHA1
6d8a46c75c4086712ce92d29f277f97bdab2e3fc

SHA256
a3743b9b5f02e664f15c324acb3609c5e05201f61c6f836d3f3a42822670c0f2

SHA512
37bd1cc5af5244f5b8fcfd1f7c3ee80384f2cb250bcf739a72ae223a3bfed397d0aed965ffd3c43271f93ea78615d022bd0726383279a9009921f68a6437de2b

Download Submit
memory/2112-15-0x0000000076E16000-0x0000000076E17000-memory.dmp

Filesize
4KB

Download
memory/2112-752-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-746-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-14-0x0000000076E10000-0x0000000076E45000-memory.dmp

Filesize
212KB

Download
memory/2112-741-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-692-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-304-0x0000000076E10000-0x0000000076E45000-memory.dmp

Filesize
212KB

Download
memory/2112-16-0x0000000076E10000-0x0000000076E45000-memory.dmp

Filesize
212KB

Download
memory/2112-21-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-11-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-10-0x0000000076E16000-0x0000000076E17000-memory.dmp

Filesize
4KB

Download
memory/2112-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-1204-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download