floxif | b04faa6567e08956c1cfc0fca0910c87ae8b6a97dae36165c4c15d08fa042bba

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Size

3.9MB
MD5

1951993d560b7dd6d051b87c4f49b588
SHA1

e0248566ae80986184d496d2188383e1b0660c42
SHA256

b04faa6567e08956c1cfc0fca0910c87ae8b6a97dae36165c4c15d08fa042bba
SHA512

bc33a8e809205993fbb5397f23e9abb64465a4fb225230b51b6d44b309af1a8330202f2193ee8b64aaccdb60233768dc3ba236b74508a75fa9fd9b2922a154fe
SSDEEP

98304:JFvGt+S27Q/2cUhEAtgsAK1nOMcPrPolb8TL:JUt+x7Q/2zPgsjW

Score

10^/10

floxif adware backdoor discovery evasion persistence privilege_escalation stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000b000000012280-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012280-1.dat	acprotect

Loads dropped DLL 9 IoCs

pid	Process
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
636	regsvr32.exe
2208	IEXPLORE.EXE
2644	regsvr32.exe
1036	regsvr32.exe
1752	regsvr32.exe
1612	regsvr32.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe /onboot"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2400-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x000b000000012280-1.dat	upx
behavioral1/memory/2400-11-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/636-24-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/636-22-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2644-29-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2400-28-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1036-31-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1752-37-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1612-39-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1036-35-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1752-41-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2644-33-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1612-43-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2400-1094-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2400-1099-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2400-1102-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2400-1106-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2400-1557-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll.dat	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1583F221-C00C-11EF-9917-D686196AC2C0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440996228"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000129e66dfe759784a84b65a43f545d18100000000020000000000106600000001000020000000f47f7586f0044b8b2f94c80bd28c7b39718548e5add5d675a4bf5ba0b81e8866000000000e8000000002000020000000b46feb3916b3f3fd728f382130dcf0b6401daee288fe4bc226b5e92b2e0d5e3c20000000643dcde1ad793775db19e8cde06e76f4f2d18f04c4c2dc9afe1346184dcf261340000000c00b18b6806608c0644daf6474cf2ed837f7a1ff412de5923b67bb947a0e4697c7fba018c51bccf362b43c26890f2d55b067fee404841230bf88d41c3a59c9f4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000129e66dfe759784a84b65a43f545d181000000000200000000001066000000010000200000008f7305c001a90b81e4dd1b8d5bc59f2648603101cde299b847302ee5d98cd9e2000000000e800000000200002000000030c8895403914eaa03cede2f532a56555fe760cc5ae93665ee385ffa352b760790000000653f94516a2063eb299a58e2116f2cc864c87ecd4ccdd86a0174da9e7fc2396ed0df1556edd7fdd812b2c30ab6904deaf5da019d14ba08abdc3a380dc7215acb9b78987e9595d6f588fb464d8e7d09275231915e128c938eb21c671486fea156ff6feb53ae218914f00a1b5d5a435898dd714345ae232329c6858c1800e871659f46e8663b070ad08779fc53241b8fd14000000003e533fdf854c534c513532b27fc0bd6336951b3e4674bce40f7b3ba83094267098e1b1ea731cf31129629c9be43a5ba19ad7b9f6ed8cb77129cf0f7e33287e8	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetAll.htm"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 800f5eeb1854db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "356"	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Token: SeRestorePrivilege	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
Token: SeDebugPrivilege	2208	IEXPLORE.EXE
Token: SeDebugPrivilege	2644	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2468	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2468	iexplore.exe
2468	iexplore.exe
2208	IEXPLORE.EXE
2208	IEXPLORE.EXE
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2208	IEXPLORE.EXE
2208	IEXPLORE.EXE
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 636	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2400 wrote to memory of 636	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2400 wrote to memory of 636	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2400 wrote to memory of 636	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2400 wrote to memory of 636	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2400 wrote to memory of 636	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2400 wrote to memory of 636	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	32
PID 2400 wrote to memory of 2468	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	33
PID 2400 wrote to memory of 2468	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	33
PID 2400 wrote to memory of 2468	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	33
PID 2400 wrote to memory of 2468	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	33
PID 2468 wrote to memory of 2208	2468	iexplore.exe	34
PID 2468 wrote to memory of 2208	2468	iexplore.exe	34
PID 2468 wrote to memory of 2208	2468	iexplore.exe	34
PID 2468 wrote to memory of 2208	2468	iexplore.exe	34
PID 2400 wrote to memory of 2644	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2400 wrote to memory of 2644	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2400 wrote to memory of 2644	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2400 wrote to memory of 2644	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2400 wrote to memory of 2644	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2400 wrote to memory of 2644	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2400 wrote to memory of 2644	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	35
PID 2400 wrote to memory of 1036	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2400 wrote to memory of 1036	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2400 wrote to memory of 1036	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2400 wrote to memory of 1036	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2400 wrote to memory of 1036	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2400 wrote to memory of 1036	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2400 wrote to memory of 1036	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	36
PID 2400 wrote to memory of 1752	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2400 wrote to memory of 1752	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2400 wrote to memory of 1752	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2400 wrote to memory of 1752	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2400 wrote to memory of 1752	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2400 wrote to memory of 1752	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2400 wrote to memory of 1752	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	37
PID 2400 wrote to memory of 1612	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	38
PID 2400 wrote to memory of 1612	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	38
PID 2400 wrote to memory of 1612	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	38
PID 2400 wrote to memory of 1612	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	38
PID 2400 wrote to memory of 1612	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	38
PID 2400 wrote to memory of 1612	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	38
PID 2400 wrote to memory of 1612	2400	2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe	38

C:\Users\Admin\AppData\Local\Temp\2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_1951993d560b7dd6d051b87c4f49b588_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:636
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.internetdownloadmanager.com/welcome.html?v=631b8
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2208
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1036
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1752
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98996f35a8180752681f807d18d58a61

SHA1
f5357f56fd784716d1763959956a5e7852c04b49

SHA256
14e3334128afaedecb7c6c97befcabb95c50de6563d2327c9d12e413e87a2eec

SHA512
e1e3bb23a8e6eaea1bdf60eb8dcc0c70a3ad9ce2fcc73d45ba566acece5740d8587e0734099e2d04d44236766dc17f20d24040cc3635ac33ce9fc02006269ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4d17293b315f93c89d9383229dd2823

SHA1
29f921d3fce4b4c2e3bb95e157f1ed6e0abdb4f4

SHA256
53404d44267dc9c02f2e41a806298f6be48e5d88ad0bde4f6d751d31843063de

SHA512
4930226b7bb4cfb4f0f1f1acb4c3c713f6e42bedb93a855a1a67e147b610de7260518d5522b78cce28536751cdba7a90a931f305ac78394aaa1d5e930a51865d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f8c6b828785ffa0d2cde44c32f66a12

SHA1
ea68328a4c945c3194c84bbdbf477cb4d988f157

SHA256
9b14d5d17607c48baf46957f853ad1162099c2cc06e6ebb1a9e8cecfa075ecd3

SHA512
1d3466581b620fe5d34ca06a30269e4eca08cfb4949f334cf0751bdb46056015e8aca3bd8b22954a084a2409d514dd55afa4f6c763ca38ec16ba4594e2953591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af8426c8ee24757d3381f2764efefe22

SHA1
a94f95c4c35151fe17b75c379a4636ae064e46e7

SHA256
7a56d07f91636e3615dba01e263e2d3e276b68facf084da7d4924b7ba3395a56

SHA512
3e56756dc74c6587296a4ef8409e8914de6cddcde165689c5a24f5ee3259c42a1a2191220918f853fb9e57493633594aff22092cfaf37a60579778f4d1c9edc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cb29b9075b7a6b9301d06e868d67868

SHA1
1a7fb792bd569971fbaa02729b8a7b65917ede38

SHA256
9081b190f81ef75dee4f04ee114d4df291dbb3128a25ad4831896d81167966ec

SHA512
183918d7ef5433ffba89773554a4287e70ba0ce6b13a3edecd22fe49730891a1fc1e3be66bad92e05ad7b6018a6c72a23df3448e2af4ec9c64cf4765697c19e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca24dde854a5f2221c1b35ce5cce4455

SHA1
1b944d9d93faa06aa61b186db99dfdaf043c7a61

SHA256
b914bb74fe81b8f25439fd94898ceb74ff9d7186e5ed0c28a4aa6ca249528500

SHA512
39395a27a101f0025496e60a7e385796bf5689cff0a45fb669352343b10015b83fac4598ba47b42e7ae5cee35566add8e6c193e8ba46ff8ab41a7cc679c6abe4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc014b02eb99c88887b818392b020735

SHA1
0249e679b161459fff5668f21d17bd6403a3059d

SHA256
9e5359f1881d334ea7aaf6002927938990dc5853824bd3133d23b07071b90d49

SHA512
000012a9c3eaab550a431962aabacdaab9b76d9da58c1629792093553b5e86deb9453a3293ecc5e2acf350d454f286bec7b58c72c3426d96243c87b0744e0560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4ba2a0ae4ab6591d71a97bc92a1b6b9

SHA1
200280ed80fe0169b11bf3ebb781980521b8a376

SHA256
ab3a72c894ffe72056ab9e0feea7e7c2f4aaf1700c264a0548be5a8c2f6b069f

SHA512
d4a889c99bf897148954e200df53ba589c5ef95d7909eefa9d3684a157aa191d11e99d364633f3bac635a49d9ccd35e574add329f96d94cf67b560937262920b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe8d69a7ec481cb68664d002b70962bd

SHA1
dba9bda507dee3f26318bb44d2342651fe520899

SHA256
d851122b95491dcfa25e99784e59b667a7b18696abf2a5c969cbff8f62a4de7d

SHA512
44fa35cacb39c57447dff3b2b02f064253139fef3fad197fd20ebb609821a6cb5ac3eb4e322a66cff3186c68c6db11641ac64ea93373cd68f40b85b59f22c8dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83fa22814251d4ba7e923d16a05a1ecb

SHA1
cd10dd647c84f41bb82f0b423a7c640cc8401f7d

SHA256
c4efa9b5b2b5d369d38f15ca98622776146fac6b807cf3880313591525a3e4bd

SHA512
ff1436ed4232fe096ba6237d5d01929c439756a0cb9862665cc152d4dd155153a4c0772f1064e5dae80833d1b2a525af29ced79c5cb7fcf01f244a5850e20e06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82040c1315b4d2cabdb537f236065fba

SHA1
fdb051ee55db38ced6e5b1ef86bcfbd21643a88b

SHA256
484c02a0c1e1da3ef1156bf1409ff82b395c2192e92220c1ca83c302f5e64f54

SHA512
714a169a876becc9929a71723ff938b8b14ea7ce1778295aa58c4e0917864c7df4bca124355fc79cbaaa30f9412eefdb1e4d5a6fcd3d6ec90d4f6669a383147a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8a7e1ccc740b4a4846c99e2e9ee04ea

SHA1
7704cfa986e19450c0e5c3a4b9413dcd4233ab1d

SHA256
948cf9ce60c04b56ba9f4e395a5a47662e6746ca1ebf69f08a268c13b8d62cce

SHA512
0d84749d03845aacb2167a5a64d319969ed096e79a5a17d0c5d552ed86ab31ec8cbbc59c1a3d5d7e6a43687631b26e072083e8971d89e8e0fb1388bc34ccc55a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98e718d660ed385fea87f9bb28fac9aa

SHA1
6842753662cdadd526bc6d12d022242d82a7a1fa

SHA256
e9bf519d7aebd2f409a75aa048e163bd0727a2be9f4b02f42857d6f239f66f09

SHA512
c3364118825807350153124bae087e3c1723fc333ad2eea1a2af7885da1b8a2c3f1eb918f09af44fec5b0c97e7d2e100250de86e95a9808b32a4c8c12e0a235f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cbba46376e86ce79884654e9dc04a29

SHA1
44a86f7e2323ff6d3e11f2bae2ed9c20a914d3b1

SHA256
e2ae7a0cbdb64e859418550ca5f1d6084beaac61c89ccb5f2af3c79bdcbca86c

SHA512
311528fc8c3096a1ac7665723302e4a987279945b6df9cb0d25d764c44b67a8f9fa269eb1e71dd3645a4e52a51107107ce45b1ae2013d7742ff6d728b87ba350

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ab276ef235d3c61b6f458b0ec7405df

SHA1
e3b0ee2ba3d50eb47c7426729f64d1399b4821ee

SHA256
bd92550c0f8e26bc863cbe4a6ee4457b10d558462146e0f3a03737a5622370ac

SHA512
f2e41f3619e5f3b924483341b58dccb6fede3f8c8854a493f7264047c62eaa92b099fc290968e33b33a22f0ab147db21a81e3af000034a29fceb6158f08c3042

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a670a14763686ce79f279fce58aa89b

SHA1
41f32c3973b77d7c361503cab5b564ec79994034

SHA256
5cd67d1318bf3b5c993fe5e5ac02c3b94a3484b1ee2603d7459f1aa9f08eda96

SHA512
2d2a8a69fe0040e869324d0c87fb16e2c748597860442f7aa4bce75564041ccebe4cfb59d2462ea588f0035a1a0f3e259f509cf96b8d93337b3b0c818592b15d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eccf5aac33d2fa66b16bde1841beca65

SHA1
8318a35955df2090ef34f5ad9d678002fb4cb87d

SHA256
acf92d893e0176e039210fc0f7fcae2f7beaa114f07f6bb01eeea46bf5afefaa

SHA512
5da486e6d78262bebb9da7e92a014955529790f2692a055c90ec9b3611d5e5e58b2683f3d725043a5d3c7b78947233f404f15a78d3d328c90b9bfc7dbef408b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04825bbcbe7d7d1386498d22aa713cbb

SHA1
0bb73c1bb6554444c6ba2db5a685b34e85ff3d99

SHA256
4a9f04e4c209f6ef8b607106da88cc7cc589429b487e1133a4267cca784ed56e

SHA512
ba6e38892da028954f1803e3466b3a2b591e879b4ba46b158eb01ffa325665e56b85727b4dd17b6e49aeef9ad2c8753eeab09eb5cc7101b3fabd472702a2be92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96d85e7932da2f767fe62d4d5448dc54

SHA1
28ff8901fa7cb9ee3dc4342c9b5620d1f48101bf

SHA256
ccd2809274a32b9c5c52094f33695d45a6d1af40f09cec5d0f77c5af5cac8afc

SHA512
8141dd705c3a21fa22b115ab5942dd1f575acba0731f8dd11ac3689f4ff8095f06718ad16696684c7e07dd90d4cdf9dbccc0923d836f8e106ba1fa54d5ea5157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4cdf3d1c8586bfd581c07289be3b3f7

SHA1
9e990cdd475fa6a62ada4092e48677efc7fc96e6

SHA256
43d46e4044cb2e7ef6a16d49df5600ce5cdbfe3255ed747c591e95f58a0872be

SHA512
58b62357a12730f1555a38b9a8d9de31e8f64d6f6c84e456c67651a9da94d6f147787abb16be595fae19a31ba959a1591517cefe9d677478472a7cd7ca88f069

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14978edb9855564d6fed83a75c2bd49c

SHA1
16af361b4068ffa1098dae3d3f748a9cd13500dd

SHA256
a0602a8bde82f9a547774db85447f6af1986dfb003ef16d7c02ff6ad5f0c4839

SHA512
7dac1684e4b76dce78f0bf7b278d2117e5914d1c070f6280fe98696118c9649e5e568b4f3cd3901979f9683177d92e7d4cd9d1e15989822cae6cd14f7a38ae64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbdcd6366f13653a5475f2849d1af5ed

SHA1
38540cd737cf6aa456826aad480eca764bebd8c2

SHA256
d87506fcdec7178fddf34bfd8ab99dc88b3ee909a64d2af74cd260ebb4f502fd

SHA512
b4a31b933be8e73319aa35881d72ba44ff2692bfabfdfeff169680d915baefa3c79b133e6baf7467ff2b7f539e2266516794473f722d104e466042754d5c2e45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de92fe504713b352e5b26e8f2b705bf8

SHA1
398d28deb97dfb019f542a9a6b39e5896178a309

SHA256
5de14adb2c0ea5b8f8f7a89310c0bef39179f213b43b63f1dc26f7371dcfaa36

SHA512
c164e4d7eb468559f910759a95e8c2237bf00550d5165bc3a7b116ea9fdacd3f907935f911d13684afb8af3b2e23ca4f67a4f13863f4a44716fc3a14bf82a884

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb52a17f0858a58f09346f77a1ae53e9

SHA1
9827a2ff0e2b8f0bea97d8547951dbaa4a5970ef

SHA256
62d5d897138f72b1f3166bf9b172b6cb219ad63796066db0502d60dae41944df

SHA512
f1aecc66689a1b788912cbd1352ffb7ddab027fa5b6d0c84082fc2701a3db170b745595d7c25d64f7a26d62bbf3637f295a8b497337d5d6a6724542543739431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62d6777e62f943d9219485a4685d4164

SHA1
484c0467146697fb21f33fc0711dd856ec03a1ea

SHA256
948eb640d454ffb264ceecddfd7ab9309036d86a3578fc0337859761bc0f0251

SHA512
ba8b4c73172b6d58a01d6d4cc4c3e72815dbd749451f950fccebc4fab118cdf0ca7d56545d607c316244efa85a523606c69e18f3d29dc1d6627d2d2af0e11004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf75fcecb50736d95b8118fd248eeaf0

SHA1
bb44b5ebe2b3dd7d803613a432cfe18c8ff449f3

SHA256
ecdb971cb59c69076e0923afe57ebe0c5cc393d515aeb2dd8752c7195e5cd74b

SHA512
030a79fc9a3c0b6a287f68348575c10c8144781d3855d3e9632e278dcce71f8a692afb221c65a93b248dba084bb9ceaa6733760e29502ee4befb850746274380

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8342eefd8ee2d80b917192ca47e26ec4

SHA1
9d1cf54dec0bbe22e7c3938549a70ffed27877bf

SHA256
4a468799b318c367cf2dbb2daf10f65ebaded1daa87a492deee306efd7d3ad14

SHA512
8482217d5936aa7f2aeb0c2b22e7c77224b9ab230f42b1203e91d321024e6beeb1d7033872f5bcc24ad01d4539477b634ee75ef267248ae5ce2c056c4413b369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
914B

MD5
c018e5bd46507404be2083b989e2497e

SHA1
50e669c964d7ca7f1cd93d926448adea21725a0f

SHA256
5bba03fe19ed3cb2a187f8c0fe5e7817afa9eef071a4a00be6bfed11484e6143

SHA512
914b425f478ca0de453934bc44556854e0feb5f9cae92bba01263946240bb0686aab554d9c3ababdd0fa082a2b1bea5286b4fd52e85e218c5d103d1c7e6a701d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\favicon[2].ico

Filesize
766B

MD5
b4cb0049adba2125f0aebe6418b7d30d

SHA1
f7991b45a6561f66b22a8bf8e791612c39321135

SHA256
d5b1fa67c87513e54815ec9f9a5388c2435d51a4d36a246f1df3f7bd792a0d05

SHA512
1188024f27920f0d86ddbb2ee3e17714dfb7d0ea383fffb0164151b3e3d43826fc4e585231c384496e223907f22c16ace6aa088133c39881f4e16ce8a0c4b655

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC7C4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC7E6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UK2RZG2L.txt

Filesize
103B

MD5
9a44c2dc65386d662d7a32508f9016ce

SHA1
8a5d662776fdc2d0991186372078cc7b6705b47a

SHA256
05df73221c56e303d8144d92a3a6538916fd56586404687a75a526680e36b6cc

SHA512
8bbbb4327ec2315da9c95c3300566fa70e9dc2ddc791ec7b5b738ead3ef83a74b6bde12d7aa98cffc26cac6f5f8e4f51b26f13f009e2a1d4f4b9179924ec00c2

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
24ca036576658ced3de195d4425c3db8

SHA1
21efebb86d6145a9592a39b6ad248ff2378e2084

SHA256
e1fb0522a84c2d9c372c87e1fe0f5b9fd3529cb64865b5068d4e979b8ee727e6

SHA512
ce7cc3a44f733b8879a732b0c48e0ed8df5744ebb1b02b5e044dc1f46334fcef4b223c49963e3a8ab23997ade6b9606182a724e6ecd0c8e24c2f64f39dd54c3d

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\C1E8AD8960.tmp

Filesize
3.8MB

MD5
6b737069dc7441ef7e9a2dcb18a30643

SHA1
24cbf7a1d7f6cc4e10a8bbe535430cd0c6314dca

SHA256
0f3a816ae13c157b3d55f7d7a5e37371c4eed99870af7b0dc1f0c3b5ba28e36e

SHA512
a248b8c6124000d4270b5b8cdae4776c58295fbac4058153fd0ad1fb5b27770b270f63f026fb17f02e5ac362b1639f6bfb6d8030075b899b71ef148335513bfc

Download Submit
memory/636-24-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/636-22-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1036-35-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1036-31-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1612-39-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1612-43-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1752-37-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1752-41-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2400-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2400-28-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2400-1106-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2400-1557-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2400-1094-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2400-1099-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2400-1102-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2400-1115-0x0000000075880000-0x00000000758B5000-memory.dmp

Filesize
212KB

Download
memory/2400-10-0x0000000075886000-0x0000000075887000-memory.dmp

Filesize
4KB

Download
memory/2400-16-0x0000000075880000-0x00000000758B5000-memory.dmp

Filesize
212KB

Download
memory/2400-15-0x0000000075880000-0x00000000758B5000-memory.dmp

Filesize
212KB

Download
memory/2400-11-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2644-29-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2644-33-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download