floxif | c83701536cbd89d5036b6ca9ebc33441cd2ac34390140242ecb5dec142e58e61

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/01/2025, 01:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
Size

2.4MB
MD5

dde2e98d6ba91a9eb1497aa8e495900b
SHA1

2486b42a0d6545b6957d3e5302ca3c02fac206e0
SHA256

c83701536cbd89d5036b6ca9ebc33441cd2ac34390140242ecb5dec142e58e61
SHA512

7766b9a7882b348296d397b98127a7b7d3ff704819e1741e5d1b2246505aa0faba8848a7ab090c67d18e0dad209600d615cd4cbf0351598ebb6cc43d50898d4f
SSDEEP

49152:2fuX7AkqIxGrGYyZa/tgrYJUGfZC3wA6EylfwEaFW31qg:LX7AfrlyutLxC3sEwwM3Ug

Score

10^/10

floxif backdoor bootkit discovery persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x00090000000120f9-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00090000000120f9-1.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2912	minidownload.exe
1172	SogouSoftware.exe

Loads dropped DLL 12 IoCs

pid	Process
1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
2912	minidownload.exe
2912	minidownload.exe
2912	minidownload.exe
1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2388	arp.exe
2608	arp.exe
2816	arp.exe
2584	arp.exe
2440	arp.exe
2720	arp.exe
3036	arp.exe
2188	arp.exe
2728	arp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1356-3-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/files/0x00090000000120f9-1.dat	upx
behavioral1/memory/1356-147-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/1356-149-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/1356-157-0x0000000010000000-0x0000000010033000-memory.dmp	upx

Drops file in Program Files directory 49 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\msvcr71.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\MiniTPFw.exe.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\atl71.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\zlib1.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\msvcp71.dll.svn-base	minidownload.exe
File opened for modification	\??\c:\program files (x86)\sogousoftware\crash\ExceptionReport.exe	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
File created	C:\Program Files (x86)\SogouSoftware\crash\ExceptionReport.exe	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\crash\.svn\entries	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\ThunderFW.exe.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\atl71.dll.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\dl_peer_id.dll.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\MiniThunderPlatform.exe.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\msvcp71.dll.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\MiniThunderPlatform.exe.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\msvcr71.dll.svn-base	minidownload.exe
File created	\??\c:\program files (x86)\sogousoftware\SogouSoftwareLoader.dll.tmp	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
File opened for modification	\??\c:\program files (x86)\sogousoftware\download\download\atl71.dll	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
File created	C:\Program Files (x86)\SogouSoftware\crash\.svn\format	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\download_engine.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\msvcp71.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\all-wcprops	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\atl71.dll.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\id.dat.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\download_engine.dll.svn-base	minidownload.exe
File created	\??\c:\program files (x86)\sogousoftware\download\download\atl71.dll.tmp	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
File created	C:\Program Files (x86)\SogouSoftware\crash\.svn\prop-base\ExceptionReport.exe.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\crash\.svn\text-base\ExceptionReport.exe.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\xldl.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\id.dat	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\entries	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\format	minidownload.exe
File created	\??\c:\program files (x86)\sogousoftware\crash\ExceptionReport.exe.tmp	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\MiniTPFw.exe.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\msvcr71.dll.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\ThunderFW.exe.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\dl_peer_id.dll.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\crash\.svn\all-wcprops	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\dl_peer_id.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\zlib1.dll.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\download_engine.dll.svn-base	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\zlib1.dll.svn-base	minidownload.exe
File opened for modification	\??\c:\program files (x86)\sogousoftware\SogouSoftwareLoader.dll	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	minidownload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000019227-11.dat	nsis_installer_1
behavioral1/files/0x0007000000019227-11.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2440	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	30
PID 1356 wrote to memory of 2440	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	30
PID 1356 wrote to memory of 2440	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	30
PID 1356 wrote to memory of 2440	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	30
PID 1356 wrote to memory of 2388	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	32
PID 1356 wrote to memory of 2388	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	32
PID 1356 wrote to memory of 2388	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	32
PID 1356 wrote to memory of 2388	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	32
PID 1356 wrote to memory of 2720	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	33
PID 1356 wrote to memory of 2720	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	33
PID 1356 wrote to memory of 2720	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	33
PID 1356 wrote to memory of 2720	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	33
PID 1356 wrote to memory of 3036	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	35
PID 1356 wrote to memory of 3036	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	35
PID 1356 wrote to memory of 3036	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	35
PID 1356 wrote to memory of 3036	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	35
PID 1356 wrote to memory of 2188	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	37
PID 1356 wrote to memory of 2188	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	37
PID 1356 wrote to memory of 2188	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	37
PID 1356 wrote to memory of 2188	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	37
PID 1356 wrote to memory of 2608	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	39
PID 1356 wrote to memory of 2608	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	39
PID 1356 wrote to memory of 2608	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	39
PID 1356 wrote to memory of 2608	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	39
PID 1356 wrote to memory of 2816	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	41
PID 1356 wrote to memory of 2816	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	41
PID 1356 wrote to memory of 2816	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	41
PID 1356 wrote to memory of 2816	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	41
PID 1356 wrote to memory of 2728	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	43
PID 1356 wrote to memory of 2728	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	43
PID 1356 wrote to memory of 2728	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	43
PID 1356 wrote to memory of 2728	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	43
PID 1356 wrote to memory of 2584	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	45
PID 1356 wrote to memory of 2584	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	45
PID 1356 wrote to memory of 2584	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	45
PID 1356 wrote to memory of 2584	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	45
PID 1356 wrote to memory of 2912	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	48
PID 1356 wrote to memory of 2912	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	48
PID 1356 wrote to memory of 2912	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	48
PID 1356 wrote to memory of 2912	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	48
PID 1356 wrote to memory of 2912	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	48
PID 1356 wrote to memory of 2912	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	48
PID 1356 wrote to memory of 2912	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	48
PID 1356 wrote to memory of 1172	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	51
PID 1356 wrote to memory of 1172	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	51
PID 1356 wrote to memory of 1172	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	51
PID 1356 wrote to memory of 1172	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	51
PID 1356 wrote to memory of 2856	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	52
PID 1356 wrote to memory of 2856	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	52
PID 1356 wrote to memory of 2856	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	52
PID 1356 wrote to memory of 2856	1356	2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe	52

C:\Users\Admin\AppData\Local\Temp\2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\SysWOW64\arp.exe
  arp -a
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2440
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.0.1 13-c0-cf-d7-35-d4
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.255.255 3c-c3-d3-98-bf-98
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\SysWOW64\arp.exe
  arp -s 37.27.61.183 f3-cc-a7-3f-ed-63
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.22 4c-8d-7c-25-2a-ab
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.251 2d-0e-c2-ac-62-ad
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2608
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.252 31-36-ce-2a-88-ba
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Windows\SysWOW64\arp.exe
  arp -s 239.255.255.250 4d-68-7c-91-91-17
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2728
- C:\Windows\SysWOW64\arp.exe
  arp -s 255.255.255.255 08-f1-dd-af-27-90
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\minidownload.exe
  "C:\Users\Admin\AppData\Local\Temp\minidownload.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2912
- C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
  "C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe" /Loader /DownLoad?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DG30HdQ8G4ngDpbEHfW1gEXYhwD6lzpDc8HlTAHx7scbrxDthotkHK0HexvlOWvJbJd76eqnPU0MQPeaLH3gS2w..%26pcid%3D-2241203717467645359%26fr%3Dxiazai%26source%3Dxixi%26filename%3Dpdfwjt.zip&iconurl=https%3A%2F%2Fpic.cr173.com%2Fup%2F2014-4%2F201449152326.jpg&softname=PDF%E8%BD%AC%E6%8D%A2%E9%80%9A&softsize=19.05MB
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\SysWOW64\arp.exe
  arp -d
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856

Network

DNS

yz.app.sogou.com

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Remote address:

8.8.8.8:53

Request

yz.app.sogou.com

IN A

Response

yz.app.sogou.com

IN A

43.153.236.147

yz.app.sogou.com

IN A

43.153.249.87
GET

http://yz.app.sogou.com/appinfo?num=104320

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Remote address:

43.153.236.147:80

Request

GET /appinfo?num=104320 HTTP/1.1
User-Agent: HttpDownload
Host: yz.app.sogou.com

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Thu, 02 Jan 2025 01:46:44 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://yz.app.sogou.com/appinfo?num=104320
GET

https://yz.app.sogou.com/appinfo?num=104320

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Remote address:

43.153.236.147:443

Request

GET /appinfo?num=104320 HTTP/1.1
User-Agent: HttpDownload
Host: yz.app.sogou.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 02 Jan 2025 01:46:46 GMT
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: SUID=53B0D7B58F51A20B000000006775F006; expires=Wed, 28-Dec-2044 01:46:46 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
DNS

cacerts.digicert.cn

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Remote address:

8.8.8.8:53

Request

cacerts.digicert.cn

IN A

Response

cacerts.digicert.cn

IN CNAME

cacerts.digicert.cn.w.cdngslb.com

cacerts.digicert.cn.w.cdngslb.com

IN A

79.133.176.222

cacerts.digicert.cn.w.cdngslb.com

IN A

79.133.176.223

cacerts.digicert.cn.w.cdngslb.com

IN A

79.133.176.211

cacerts.digicert.cn.w.cdngslb.com

IN A

79.133.176.219

cacerts.digicert.cn.w.cdngslb.com

IN A

163.181.154.240

cacerts.digicert.cn.w.cdngslb.com

IN A

163.181.154.241

cacerts.digicert.cn.w.cdngslb.com

IN A

79.133.176.213

cacerts.digicert.cn.w.cdngslb.com

IN A

79.133.176.224
GET

http://cacerts.digicert.cn/DigiCertGlobalRootG2.crt

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Remote address:

79.133.176.222:80

Request

GET /DigiCertGlobalRootG2.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: cacerts.digicert.cn

Response

HTTP/1.1 200 OK

Server: Tengine
Content-Type: application/pkix-cert
Content-Length: 914
Connection: keep-alive
date: Thu, 02 Jan 2025 00:51:41 GMT
expires: Sat, 04 Jan 2025 00:51:41 GMT
cache-control: max-age=172800
cache-control: public
accept-ranges: bytes
Via: ens-cache2.l2de3[0,0,304-0,H], ens-cache11.l2de3[2,0], ens-cache9.gb6[0,0,200-0,H], ens-cache4.gb6[1,0]
last-modified: Wed, 06 Dec 2017 21:41:43 GMT
etag: "5a286417-392"
Age: 3304
Ali-Swift-Global-Savetime: 1735779101
X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
X-Swift-SaveTime: Thu, 02 Jan 2025 00:51:43 GMT
X-Swift-CacheTime: 3598
Timing-Allow-Origin: *
EagleId: 4f85b09817357824058963675e
DNS

ping.t.sogou.com

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Remote address:

8.8.8.8:53

Request

ping.t.sogou.com

IN A

Response
DNS

www.baidu.com

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Remote address:

8.8.8.8:53

Request

www.baidu.com

IN A

Response

www.baidu.com

IN CNAME

www.a.shifen.com

www.a.shifen.com

IN CNAME

www.wshifen.com

www.wshifen.com

IN A

103.235.47.188

www.wshifen.com

IN A

103.235.46.96
GET

http://www.baidu.com/

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Remote address:

103.235.47.188:80

Request

GET / HTTP/1.1
Accept: */*
Host: www.baidu.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 29608
Content-Type: text/html
Date: Thu, 02 Jan 2025 01:46:50 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: BWS/1.1
Set-Cookie: BAIDUID=2A8EDC8D1A7C9B5D5C92F852D02ADC76:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=2A8EDC8D1A7C9B5D5C92F852D02ADC76; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1735782410; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BAIDUID=2A8EDC8D1A7C9B5D5CF0E7F17B688FB6:FG=1; max-age=31536000; expires=Fri, 02-Jan-26 01:46:50 GMT; domain=.baidu.com; path=/; version=1; comment=bd
Traceid: 1735782410368569345011713740123505917905
Vary: Accept-Encoding
X-Ua-Compatible: IE=Edge,chrome=1
X-Xss-Protection: 1;mode=block
DNS

5isohu.com

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Remote address:

8.8.8.8:53

Request

5isohu.com

IN A

Response
DNS

www.aieov.com

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Remote address:

8.8.8.8:53

Request

www.aieov.com

IN A

Response

www.aieov.com

IN A

173.255.194.134

www.aieov.com

IN A

45.33.20.235

www.aieov.com

IN A

45.33.2.79

www.aieov.com

IN A

96.126.123.244

www.aieov.com

IN A

45.56.79.23

www.aieov.com

IN A

45.33.23.183

www.aieov.com

IN A

45.79.19.196

www.aieov.com

IN A

72.14.185.43

www.aieov.com

IN A

198.58.118.167

www.aieov.com

IN A

45.33.30.197

www.aieov.com

IN A

45.33.18.44

www.aieov.com

IN A

72.14.178.174
GET

http://www.aieov.com/logo.gif

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

Remote address:

173.255.194.134:80

Request

GET /logo.gif HTTP/1.1
Accept: */*
Host: www.aieov.com

Response

HTTP/1.1 403 Forbidden

server: openresty/1.13.6.1
date: Thu, 02 Jan 2025 01:46:53 GMT
content-type: text/html
content-length: 175
connection: close

43.153.236.147:80

http://yz.app.sogou.com/appinfo?num=104320

http

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

316 B
505 B
5
3

HTTP Request

GET http://yz.app.sogou.com/appinfo?num=104320

HTTP Response

301
43.153.236.147:443

https://yz.app.sogou.com/appinfo?num=104320

tls, http

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

1.1kB
5.0kB
9
9

HTTP Request

GET https://yz.app.sogou.com/appinfo?num=104320

HTTP Response

200
79.133.176.222:80

http://cacerts.digicert.cn/DigiCertGlobalRootG2.crt

http

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

419 B
1.8kB
6
6

HTTP Request

GET http://cacerts.digicert.cn/DigiCertGlobalRootG2.crt

HTTP Response

200
103.235.47.188:80

http://www.baidu.com/

http

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

2.4kB
63.9kB
47
57

HTTP Request

GET http://www.baidu.com/

HTTP Response

200
173.255.194.134:80

http://www.aieov.com/logo.gif

http

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

290 B
503 B
5
4

HTTP Request

GET http://www.aieov.com/logo.gif

HTTP Response

403

8.8.8.8:53

yz.app.sogou.com

dns

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

62 B
94 B
1
1

DNS Request

yz.app.sogou.com

DNS Response

43.153.236.147

43.153.249.87
8.8.8.8:53

cacerts.digicert.cn

dns

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

65 B
240 B
1
1

DNS Request

cacerts.digicert.cn

DNS Response

79.133.176.222

79.133.176.223

79.133.176.211

79.133.176.219

163.181.154.240

163.181.154.241

79.133.176.213

79.133.176.224
8.8.8.8:53

ping.t.sogou.com

dns

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

62 B
121 B
1
1

DNS Request

ping.t.sogou.com
8.8.8.8:53

www.baidu.com

dns

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

59 B
144 B
1
1

DNS Request

www.baidu.com

DNS Response

103.235.47.188

103.235.46.96
8.8.8.8:53

5isohu.com

dns

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

56 B
117 B
1
1

DNS Request

5isohu.com
8.8.8.8:53

www.aieov.com

dns

2025-01-02_dde2e98d6ba91a9eb1497aa8e495900b_floxif_mafia.exe

59 B
251 B
1
1

DNS Request

www.aieov.com

DNS Response

173.255.194.134

45.33.20.235

45.33.2.79

96.126.123.244

45.56.79.23

45.33.23.183

45.79.19.196

72.14.185.43

198.58.118.167

45.33.30.197

45.33.18.44

72.14.178.174

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe

Filesize
232KB

MD5
0bc2d003fcfe3fa65f4c3ba7a015fa41

SHA1
72ed85bc1c57259b4f2ed36d16ce3fed4e30607c

SHA256
388069590fb9569b6c498f941d0565416cb52fc803648ee21b8c59917c63eb4b

SHA512
ae8d83e6ca21ee9b0d5e5845fac3a4dc01c6038243da36b4360b2f42763478265cdafc89072c47672b9738de1930e5e5191e2bf91715055cbd16a949d313ff24

Download Submit
C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\atl71.dll.svn-base

Filesize
53B

MD5
113136892f2137aa0116093a524ade0b

SHA1
a0284943f8ddfe69ceec90833e66d96bdf4a97f0

SHA256
ebbf7e8800c3446bc3a195fa53573bde1073b0bf7581a614372f1391a9286d02

SHA512
d3201cc19ae702a9813aa8bc39612ebaa48138903e9ede64dcadff213691f6e711876aa4fa083887c545325d5d8bf70649523c528090542459f2b01697180e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDE50.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE72.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\minidownload.exe

Filesize
1.9MB

MD5
0618e9851ea4a522abeded8d40c2f19e

SHA1
c6772967fdf545e32d28f3b46e97aec5b9ff99f5

SHA256
506c374fbdf14420306e2da8d123c2138c2ceabd2046178317508a25949d3dc4

SHA512
b8c4816d81aa14646a3b690da76c0d33f59b7d419305638747503dba6bb84a63b906fe7d0ced59850ad25db37c1e0e6f3bd614a902f2f5ffb3d2bf74ec4e571f

Download Submit
\??\c:\program files (x86)\sogousoftware\SogouSoftwareLoader.dll

Filesize
450KB

MD5
b1ce2dba9515e144908aa34ac77f5a46

SHA1
0a3e601eeba273a16d815c5e59793eb73db9daad

SHA256
5a7349e46f16ec394af8575b666c132c010bacaa2c59da472b842ffeccc5623f

SHA512
d0a78b5de9126b8126b531fb8f72ae375aac898930dccd8a61f173c28470895daab56b368c34a5925020dfdc642785651445967904d8756bb1ce7c1d2f95525a

Download Submit
\??\c:\program files (x86)\sogousoftware\crash\ExceptionReport.exe

Filesize
110KB

MD5
5d4a135fedd49b7ab79cf2c2d8e2d611

SHA1
4f838f694da6f598d81f71751fb1ba70e6dcffa2

SHA256
1624c019d1f2befa579420a71649b352cae80afa1e43409e9ad5bf2a5ab0dd7a

SHA512
a83d95f4fabb69238c5f84bffa9421003226d9c6b75f632c04a3a282a0966cb8ef4363bf18d42ef65980f306e0bf47b762e0f2f412106da204940f215f52efd7

Download Submit
\??\c:\program files (x86)\sogousoftware\download\download\MiniTPFw.exe

Filesize
58KB

MD5
58bb62e88687791ad2ea5d8d6e3fe18b

SHA1
0ffb029064741d10c9cf3f629202aa97167883de

SHA256
f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100

SHA512
cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5

Download Submit
\??\c:\program files (x86)\sogousoftware\download\download\MiniThunderPlatform.exe

Filesize
262KB

MD5
e2e9483568dc53f68be0b80c34fe27fb

SHA1
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

SHA256
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

SHA512
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

Download Submit
\??\c:\program files (x86)\sogousoftware\download\download\ThunderFW.exe

Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
\??\c:\program files (x86)\sogousoftware\download\download\atl71.dll

Filesize
87KB

MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
\??\c:\program files (x86)\sogousoftware\download\download\dl_peer_id.dll

Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
\??\c:\program files (x86)\sogousoftware\download\download\download_engine.dll

Filesize
3.4MB

MD5
1a87ff238df9ea26e76b56f34e18402c

SHA1
2df48c31f3b3adb118f6472b5a2dc3081b302d7c

SHA256
abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964

SHA512
b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9

Download Submit
\??\c:\program files (x86)\sogousoftware\download\download\msvcp71.dll

Filesize
492KB

MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
\??\c:\program files (x86)\sogousoftware\download\download\msvcr71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
\??\c:\program files (x86)\sogousoftware\download\download\zlib1.dll

Filesize
58KB

MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll.tmp

Filesize
531KB

MD5
a12c758b1def3dd105f5ae8afa453de7

SHA1
af64b24d7a8220de6d72a984b56a4e4666a30f20

SHA256
cc4f955f25c32c90b4f809f3ccd550d3004608e853198c6919bb6ee1ea6aa120

SHA512
22c45d57049ae5bbe14dc14c21ae77295994406c9ccf3f1410c3e59de183588826cf19e5de726daf2d0f38a55c923780299ed80b2320e8764049bed37435b3c5

Download Submit
\Program Files (x86)\SogouSoftware\crash\ExceptionReport.exe.tmp

Filesize
190KB

MD5
6831898a31730229de0bf144e81ef2c8

SHA1
dac5e9eb1cc807d4f61cd369c1f2e41269b7581c

SHA256
71899576a68b27faa1ddb340c4701bb4c5904c73c4697dd8ecc072a20bfa501b

SHA512
60262ec3db3e4082e93cd3719af22e1c8a2d1d0cfcedbd6c5608087ab195346ff670ed144d2b6c3d77bd29341e0f6597dddf76f07e583e03511fd6c409eb50e6

Download Submit
\Program Files (x86)\SogouSoftware\download\download\atl71.dll.tmp

Filesize
167KB

MD5
ded688c49ea394f2015274ecab66fe91

SHA1
5008bda637141243e833ff25ef607cdc00194b08

SHA256
bf3a9e68c4fee97403ec2c128926f045ac37b71201d677180e7335e63b0442b0

SHA512
a447dec07c30aa2eb48a62e0df3f4aa7ca85bfb3bc7185d45b9f4d638d969f7111ed02bbab3bbcdf99b9783b5d93491960ef2467dd3eeeaef67e76ba56d48c18

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
71KB

MD5
4fcd7574537cebec8e75b4e646996643

SHA1
efa59bb9050fb656b90d5d40c942fb2a304f2a8b

SHA256
8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

SHA512
7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

Download Submit
memory/1356-3-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1356-5-0x0000000000A91000-0x0000000000A92000-memory.dmp

Filesize
4KB

Download
memory/1356-147-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1356-149-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1356-148-0x0000000000A90000-0x0000000000CDA000-memory.dmp

Filesize
2.3MB

Download
memory/1356-157-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1356-155-0x0000000000A90000-0x0000000000CDA000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.