floxif | b04faa6567e08956c1cfc0fca0910c87ae8b6a97dae36165c4c15d08fa042bba

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Size

3.9MB
MD5

1951993d560b7dd6d051b87c4f49b588
SHA1

e0248566ae80986184d496d2188383e1b0660c42
SHA256

b04faa6567e08956c1cfc0fca0910c87ae8b6a97dae36165c4c15d08fa042bba
SHA512

bc33a8e809205993fbb5397f23e9abb64465a4fb225230b51b6d44b309af1a8330202f2193ee8b64aaccdb60233768dc3ba236b74508a75fa9fd9b2922a154fe
SSDEEP

98304:JFvGt+S27Q/2cUhEAtgsAK1nOMcPrPolb8TL:JUt+x7Q/2zPgsjW

Score

10^/10

floxif adware backdoor discovery evasion persistence stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000d000000012263-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000d000000012263-1.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe /onboot"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000012263-1.dat	upx
behavioral1/memory/2904-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2904-11-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2904-21-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2904-310-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2904-742-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2904-747-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2904-752-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2904-1201-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll.dat	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440996036"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetAll.htm"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A1B249A1-C00B-11EF-8B1E-52DE62627832} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000008e992c53bd64ef6cf34d32e0c173232db0bd855204cbda83dcb21a3c1e4db6a3000000000e8000000002000020000000589847274627c4c208284fcb902626790434dc8fe104db5eefb2816623b7ebe420000000a5b095ca3a85c002018a8e6f09d5c365ddc72b52766c6f07b3fb556ee4517ed140000000ea8f0099cf2aa2ba8eeaf064395d8adb706206c5453c6a0d3d422f204187d0b7389d929cbd054c9baad8f54cf7dd312eb9031f4a2a27a88550f2d72a387a202a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000003478dd5f988a1f81b94de83a96495eda818125a4f31ae6d7572582b9a73c7654000000000e8000000002000020000000084ba42aba4b35fa0ae4b4f3c30f5f331d8d2d8a726c60009aac81fdba7ac437900000005af4d0eb4e3e8bbaf639374c982938e218f1fdf89a16061ef8aa96969e5ed2544617a10748301c0d7295aca7f6efa46ceeb89fb79e31c3b5f7a9772fecfc045ac91c2ffa207cf02ed3ec504f75383b5a8756247adbc5d57692d99d0b26eca49f3f1a550a70ceccf532602539da675accef731d7ef828654a692c804ebe2fe693bfa1c5d0778465744e26eb4e7d96499740000000e59e79eb716abfe49da73336d584da414855c73e82081612d7ab9812b971fad56c9dc9aaf04f7d6396f0ca2d31393f57808841db852f7dfaed53fe04df7ed7e7	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20bf9c7b1854db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\CLSID	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "356"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Token: SeRestorePrivilege	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
1324	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
1324	iexplore.exe
1324	iexplore.exe
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2588	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2904 wrote to memory of 2588	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2904 wrote to memory of 2588	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2904 wrote to memory of 2588	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2904 wrote to memory of 2588	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2904 wrote to memory of 2588	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2904 wrote to memory of 2588	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2904 wrote to memory of 1324	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	33
PID 2904 wrote to memory of 1324	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	33
PID 2904 wrote to memory of 1324	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	33
PID 2904 wrote to memory of 1324	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	33
PID 2904 wrote to memory of 2392	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	34
PID 2904 wrote to memory of 2392	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	34
PID 2904 wrote to memory of 2392	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	34
PID 2904 wrote to memory of 2392	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	34
PID 2904 wrote to memory of 2392	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	34
PID 2904 wrote to memory of 2392	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	34
PID 2904 wrote to memory of 2392	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	34
PID 2904 wrote to memory of 1092	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2904 wrote to memory of 1092	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2904 wrote to memory of 1092	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2904 wrote to memory of 1092	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2904 wrote to memory of 1092	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2904 wrote to memory of 1092	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2904 wrote to memory of 1092	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2904 wrote to memory of 2844	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2904 wrote to memory of 2844	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2904 wrote to memory of 2844	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2904 wrote to memory of 2844	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2904 wrote to memory of 2844	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2904 wrote to memory of 2844	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2904 wrote to memory of 2844	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2904 wrote to memory of 2152	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2904 wrote to memory of 2152	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2904 wrote to memory of 2152	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2904 wrote to memory of 2152	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2904 wrote to memory of 2152	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2904 wrote to memory of 2152	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2904 wrote to memory of 2152	2904	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 1324 wrote to memory of 1504	1324	iexplore.exe	38
PID 1324 wrote to memory of 1504	1324	iexplore.exe	38
PID 1324 wrote to memory of 1504	1324	iexplore.exe	38
PID 1324 wrote to memory of 1504	1324	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.internetdownloadmanager.com/welcome.html?v=631b8
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1504
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2392
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1092
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84db09718086c2d25422789b74d29d3b

SHA1
0eda86d5b965785494ca705a0e4f691071d44e38

SHA256
d3783d90667e9d86ae96caaafd01fe5734472203847a0b50579ced6dc4cbfb03

SHA512
52f4707c736289699c276e4a7b3b948cc63388fd72cc43399c5806c450522979e569e278feeb6caec82e727e59b9a33a1eda979db92c81167e202db72cb3b5ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2311ed868642d4a5c1af86df3922f7ad

SHA1
04e2be9e8b44343219a4e0d5fe170dbc0b54bd25

SHA256
75f65e8a56e581be6ed08ec9d8309ca8a16344d52751d83775c931ef6c5086cc

SHA512
58faf30ef337332a12e2489120029cf6b015da57bc86129caf8aec1461bc9f7f90f9d9d3fc056abe363477d63993e6f02ccef5f1afc2c21cffc0cbb9d91c4a39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fc523d70b8fd1ca15fce07fec77d0f9

SHA1
bba10e849a9562440b74f6c96449885b3026b7f5

SHA256
ed27dac10f05431c00713c1a3b09afd39348b727ce0253fa61771f18f03357b9

SHA512
18341d7c46e985c03b9204490cf7c9c8d6cc7b3f895db5eba3d817f00bb6733eb3bb6cbd6d8b8a09fa3bb201757df22fa8ee41cae9be1684b2827952209de5d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f575c978f62f3a19228a88fc05eba63

SHA1
3ed877b6c059ce358fead7a2fd53ed7c296cff3b

SHA256
77e787ae2734b4cf90e85c774cd6600393282b584824e5d1684c2bab5073b56e

SHA512
3af028add378659d4cfb829737f45183a9bad658828c000a75532800d1e577cc0e1d5096fa593c44b4695e74ed9fb14ddccf799cdad6d8c0b46bef9f941e7ee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afe6f9b3cff61acbe271f63749318a7a

SHA1
bfdc159f4385736a743a361d693f9cd1920c1095

SHA256
672d52df615b690a4d78a23ee62970d5fd26a4b603627f078bf6d7c1d01589e3

SHA512
e2296dbe01aa34f25741210b2cf43523c59ec57e9ad377e86d075b3e7302a057f271bf8ff74c079705667bf510c430815bbf2738ec464216f1ef1964fd53c9df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb98ec3a368ef0e55c14e13903360e62

SHA1
dc81642a36a1f321c028663673592a93f2f61f48

SHA256
4d683bfdd32306a49495bb70d8a1db7a8212ed2a3dc95a46aa101dcef37baae9

SHA512
6436620c02585871db628202218543af2f39c6868b6c40139fe6dc87dde12e1c9c5b49c374fabf5cae2b08eb5a7646d1c527f3087599c7c2d4a87801f9312b66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
558d3af9c211dfb29e3ebcfda277cd16

SHA1
46feacb8c716976e358a82572038332d8e743159

SHA256
aaf1b3a96d4b2b7966e3b12110f772bfe8b4c6e3de16074ed097c6a20c6c557f

SHA512
59250a58f3b68061aa903e3fa2c5359dba0f644c4cbbb3dd0a465ede9846405ddb120ef7ef96828989e684c15a3091d81ad8a1e63623e46ffcc8b680e69592df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c4ce24f6876e1f7603b6143e89484b9

SHA1
d599cf3049db1ad2c58fc4862be3340e0dea77e1

SHA256
d68275b3d8b46d7d2b671361b4eced8affb811bbe01120f18834f2ef92d073dc

SHA512
09171de12329ea3f640e876aee949462d7b89761261653ecabd19dbc436d51b17736b18043586b5c122aa4eb32fba2abf5f1f96dac77d64ba4e5e8eb3249ffb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
177c6dd8824f41d9f197ee00c564d0ee

SHA1
e16e63154df522af9fbbf0f5a77062978c701014

SHA256
60c0b9ef18946627970bfd699f0cbb0a1ecf2581a947f2aed51f79f45a2b3d2b

SHA512
0e8eacf069bbc2f02d56492ef93553a910e978eff3d8ca82bc39f64e1ce8ec02fdfe5d954d643683f35a04008257f63d481cb84bf56e2f662b06a315f810cecd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da2b18b51935435dafcfa693c41773e6

SHA1
2a4669f8d676f4c89eb9a1fe2e17ff42464309ac

SHA256
a50822fd2c3ec5aa5bf891e76e8c0b2bb2c1cb42b2951b55580fff303d50aba9

SHA512
fe51bfc5e2275b25df26286887213e24eebf0605c357efdebcbf80269c3b5b1a72f7b8acb2a21a4f47624900f0e5c4d80d87da126efc44b97f2ae9bac9fa1185

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d445a5767cee6ddcaca910c17b66f19e

SHA1
6b1b8c7a65c51b629b52808f23e3dd3689ebe9be

SHA256
9337ea0788443fc743e76729252e953f45d1e6a1bad55049fcb5173178775021

SHA512
fe0e25a546ec283c1696b5b306edcbffd4c469c00645eab82d53feb91bac277fbe015fce61f42709b640ca3ae1da8efff42a8e299ac0bed80e85dfcaf7ce0700

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06f057b7821237ac041f1c6c9b57001f

SHA1
ce1ea59ab7b0499915bd9b250cc3d66be0738bd0

SHA256
5730658129e91f9e47c56283203b32dc8d3fa2e9c5223e975548ea1f63d61e97

SHA512
2607b7abe77546a1675782d5d7f20ef2dbc03de1a1e98b20bf291b673f4833cd68c9ad7b9ff7acf7384b9cb819256d5678363821fa45771c8b6be38ea756467c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
038e7eb39d6cc9d38d4a06a16afd24ee

SHA1
b97d59f62f0d2ff4835664d5ff75bad4b0b5cfe0

SHA256
b4f1d508f17fe88596919f9b05e073f47502ff66edf28db21c0a65bde16f0d72

SHA512
d3bfd10d12f39b7cf9ce958f203d5a6fe9a20a69cb17997b2699fb49b062f6e64e6b0b0b70045720a68a04da76638e46d97e2809f6ec4fc91b04d9a666e2b006

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b31c2cd99e62cb5c5b264a88cec9b52

SHA1
8920bf3e0d19c3bf4bda9075a398fb4b3c5d0a00

SHA256
45119f0c9a66778ee4ceb88e278cd5e2803b9d68dad6e7d822b8d2c7652fdf88

SHA512
59c62c3da25868259f9973c74407919ddfd5fdb55191fba18fae2f6abc95103f6b0713141c27a4bd0d9f69290a30f7cea3c6e57881cc87a23cc17b2511fde6b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77ecc2102a661bd2b418d4f9c9357a7d

SHA1
c11a32bdd9db1685b54a16a5f9c44a2e5a762dc9

SHA256
bc1502bdb399eda8338862b76ede42848cdbd79c1ea0e3d1886be7196ad8791a

SHA512
213f78480456f4716cde66252ca41796eacd34c0d3c1efe766f9e07e44560a9ee4f408b810c6865150b26435b79a43e42089d068bb5b5394fdbaba915067d748

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
304d083205979167491af4d64a0fa8d5

SHA1
ac184b5731e636b300ccb384bca1f16a7f7385ca

SHA256
baec6cf6e741750b84a63ce481705f98d183deb49ff3a967400b1f32411f4850

SHA512
a5ffe89794d994dbcf31d9918392e2f87c5e898bccb8c6d9accb527ea23f79fd1559b2e7647fd0c556432889b67f585df6a4da5697cb09b0ceb09b8bc82194a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d320c1d06f53faba6948916c66bebee

SHA1
e18ae387e79610b6da6e84541b433188566804d9

SHA256
d47f3487a978fe30df33086bb698b4969091e9849d4d78c513196566e428ecda

SHA512
a85a474fd6d811ce15820a43c34997f0afc33b73d1171b4b50a4175de76a981ad2b270520200d196e299ec8297a39bc081bcab8e641d3c5883d58d4a01114f85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a50d9cbfe81fa2dd0ed4b4bf46fc463e

SHA1
6785cfe28873074c58abb8b154c3e712185787cf

SHA256
b9880310bf80cc50ecce231aaf86c88c248a536c9276c1810956eb59a1dd7f5a

SHA512
eac37b3cb157667bd75fbb2cca233f86d8207c5e1c022c8b700fdd0636e31789c505ddc24aa86601a253737bccca09d1b121f99c98685f3446124ce3305769aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ea5f6c6ed918225f766171ad4fa8041

SHA1
7b21eaf46e6d402d62ba143091293120cdfc97b2

SHA256
c2dc31c045e9ecd7149cfa13b56a3e5cccdead3ac8f04a2051d72641bbbbe36f

SHA512
585d9578f8b79de4f6472b49066ac1f1388ddef805b0b9cb484117107dbcb076729072b40bbec675059fcf7d90f42539cdbdd79b0a35a0d92bb8d013c15fd689

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01da96c040ec867b59de977ef74ba7f7

SHA1
b24ea9e64d2636023c00b8b7883bc511db0e528b

SHA256
b1cdfeae6321989b7c5e24e7589d03302f437c7706d82b22602cf1eeb6184d8b

SHA512
1a2dda77831f3df92c378e4a1dc7e5d45da2c6923766c51130ab9d1835f9c122f194677c59c4a23ac7173b5c97e54b4b373315bca42d8c055c6489045da2386d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB953.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB9E2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\28G4LWMP.txt

Filesize
103B

MD5
a8b24df687ab5ba2958a8001e48f8761

SHA1
c56ce7a2c9c5700cfd42c9b5f3f9cc45b1801fa3

SHA256
b12b7a0a19f85d8977bbd3082461e0069273e55b9be1cf26da001e02c3ce570c

SHA512
a49ce1fa8396f3a3654825b9cb8ac3a590fd1b7fb895ee4fee37c28a87c5c014379e2de40cce9031db4b8334809fcb38dc35ee3a84fce293dc88e58dfe0ddb92

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
24d01a79cb3b4f8689049784a6d1aa1e

SHA1
c149d101e93b5b64ca7d1efdfcf8521fcb1b6bd2

SHA256
2f055fac3828f8a10a879defaf056f3f7ef6c460dc93746905e6e8d3c46b606e

SHA512
99305cf980f97cef380af5c0746b18b6c23c6869bb86eb4c3c7d880e2d34a5607ed882d2f74f21e0986e22753d3bf0bbe497db98a0ca7a10c771506030cf5815

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\ACE2B08B58.tmp

Filesize
3.8MB

MD5
6b737069dc7441ef7e9a2dcb18a30643

SHA1
24cbf7a1d7f6cc4e10a8bbe535430cd0c6314dca

SHA256
0f3a816ae13c157b3d55f7d7a5e37371c4eed99870af7b0dc1f0c3b5ba28e36e

SHA512
a248b8c6124000d4270b5b8cdae4776c58295fbac4058153fd0ad1fb5b27770b270f63f026fb17f02e5ac362b1639f6bfb6d8030075b899b71ef148335513bfc

Download Submit
memory/2904-21-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2904-16-0x0000000074FF0000-0x0000000075025000-memory.dmp

Filesize
212KB

Download
memory/2904-752-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2904-191-0x0000000074FF0000-0x0000000075025000-memory.dmp

Filesize
212KB

Download
memory/2904-31-0x0000000074FF0000-0x0000000075025000-memory.dmp

Filesize
212KB

Download
memory/2904-310-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2904-747-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2904-742-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2904-15-0x0000000074FF0000-0x0000000075025000-memory.dmp

Filesize
212KB

Download
memory/2904-12-0x0000000074FF0000-0x0000000075025000-memory.dmp

Filesize
212KB

Download
memory/2904-11-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2904-10-0x0000000074FF6000-0x0000000074FF7000-memory.dmp

Filesize
4KB

Download
memory/2904-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2904-1201-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download