File name:

2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid

Full analysis: https://app.any.run/tasks/2f393195-f564-47f5-b3f8-ec97e7a52102
Verdict: Malicious activity
Analysis date: February 27, 2025, 07:43:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

5EDE1711FDD104FD06CF464610F324C3

SHA1:

C8F27A8B69EE96E98DA554A638B822C10CAAC045

SHA256:

0FEC22408E1A754C0709B1A0686D511F0E960E24F920BA25AE0180D8BC27C99E

SSDEEP:

98304:fzKHLlk7b5kRBak9/wNqxhqd2pvDa+1qUSfOIocFR68gfmhPPzHiFwYE9sDRhqJy:UBTEc2h2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 4120)
      • DXSETUP.exe (PID: 1188)

    • Connects to the CnC server

      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • DXSETUP.exe (PID: 1188)

    • Executes as Windows Service

      • VSSVC.exe (PID: 900)

    • Searches for installed software

      • dllhost.exe (PID: 6272)
      • Installer.exe (PID: 5084)

    • Executable content was dropped or overwritten

      • DXSETUP.exe (PID: 1188)
      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)

    • Process drops legitimate windows executable

      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)
      • DXSETUP.exe (PID: 1188)

    • Reads security settings of Internet Explorer

      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)
      • DXSETUP.exe (PID: 1188)
      • Installer.exe (PID: 5084)

    • There is functionality for taking screenshot (YARA)

      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)

    • Contacting a server suspected of hosting an CnC

      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)

    • Checks Windows Trust Settings

      • Installer.exe (PID: 5084)
      • DXSETUP.exe (PID: 1188)

    • Creates/Modifies COM task schedule object

      • DXSETUP.exe (PID: 1188)

    • Adds/modifies Windows certificates

      • Installer.exe (PID: 5084)

  • INFO

    • Checks supported languages

      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)
      • DXSETUP.exe (PID: 1188)
      • Installer.exe (PID: 5084)

    • Create files in a temporary directory

      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)
      • DXSETUP.exe (PID: 1188)

    • Checks proxy server information

      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)
      • DXSETUP.exe (PID: 1188)
      • slui.exe (PID: 4452)
      • Installer.exe (PID: 5084)

    • The sample compiled with english language support

      • DXSETUP.exe (PID: 1188)
      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)

    • Creates files in the program directory

      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)

    • Reads the computer name

      • DXSETUP.exe (PID: 1188)
      • Installer.exe (PID: 5084)
      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)

    • Manages system restore points

      • SrTasks.exe (PID: 6656)

    • UPX packer has been detected

      • 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe (PID: 1812)

    • Reads the software policy settings

      • DXSETUP.exe (PID: 1188)
      • Installer.exe (PID: 5084)
      • slui.exe (PID: 4452)

    • Reads the machine GUID from the registry

      • Installer.exe (PID: 5084)
      • DXSETUP.exe (PID: 1188)

    • Disables trace logs

      • Installer.exe (PID: 5084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:09:28 01:37:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 851968
InitializedDataSize: 3665920
UninitializedDataSize: -
EntryPoint: 0x8d103
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.81.0
ProductVersionNumber: 2.0.81.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: DevAge, Vestris Inc. & Contributors
FileDescription: -
FileVersion: 2.0.81.0
InternalName: -
LegalCopyright: Copyright (c) DevAge, Vestris Inc. & Contributors
LegalTrademarks: All Rights Reserved
OLESelfRegister: -
OriginalFileName: -
PrivateBuild: -
ProductName: dotNetInstaller
ProductVersion: 2.0.81.0
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
9
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe dxsetup.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs installer.exe slui.exe 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
900C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188C:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\DXRedist\DXSETUP.exe /silentC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\DXRedist\DXSETUP.exe
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft DirectX Setup
Exit code:
0
Version:
4.9.0.0904
Modules
Images
c:\users\admin\appdata\local\temp\{bcba8581-f6c1-40c5-beeb-74402f51dc3d}\dxredist\dxsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1812"C:\Users\admin\Desktop\2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe" C:\Users\admin\Desktop\2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
explorer.exe
User:
admin
Company:
DevAge, Vestris Inc. & Contributors
Integrity Level:
HIGH
Exit code:
0
Version:
2.0.81.0
Modules
Images
c:\users\admin\desktop\2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4120"C:\Users\admin\Desktop\2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe" C:\Users\admin\Desktop\2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeexplorer.exe
User:
admin
Company:
DevAge, Vestris Inc. & Contributors
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
2.0.81.0
Modules
Images
c:\users\admin\desktop\2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4452C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5084C:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\InstallLauncher\Installer.exeC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\InstallLauncher\Installer.exe
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
User:
admin
Company:
Ubisoft
Integrity Level:
HIGH
Description:
Installer
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\{bcba8581-f6c1-40c5-beeb-74402f51dc3d}\installlauncher\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6272C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
6656C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
16 172
Read events
15 936
Write events
209
Delete events
27

Modification events

(PID) Process:(1812) 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1812) 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1812) 2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1188) DXSETUP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectX
Operation:writeName:command
Value:
0
(PID) Process:(1188) DXSETUP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectX
Operation:writeName:DXSetup
Value:
0
(PID) Process:(1188) DXSETUP.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000C18F6763EB88DB01A40400003C080000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6272) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000C18F6763EB88DB0180180000D81A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6272) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000089E4B363EB88DB0180180000D81A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6272) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000089E4B363EB88DB0180180000D81A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6272) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000004598B863EB88DB0180180000D81A0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
Executable files
34
Suspicious files
38
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
18122025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\DXRedist\dsetup32.dllexecutable
MD5:0F58CCD58A29827B5D406874360E4C08
SHA256:642D9E7DB6D4FC15129F011DCE2EA087BF7F7FB015AECECF82BF84FF6634A6FB
18122025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\DXRedist\Jun2010_D3DCompiler_43_x86.cabcompressed
MD5:F7F554AA613ECCF065575B8C69717EF7
SHA256:417EEBD5B19F45C67C94C2D2BA8B774C0FC6D958B896D7B1AC12CF5A0EA06E0E
18122025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\DXRedist\Jun2010_XAudio_x86.cabcompressed
MD5:9D2DA3B1055120AF7C2995896F5D51ED
SHA256:7B4332207563BEBA1103744B6DB5399AD150E9E6838F9D5A71497E7EB3645EBF
18122025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\InstallLauncher\Mono.Nat.dllexecutable
MD5:81584E5D909150C6892834DE6B57DF4E
SHA256:77F43AFA6A1632018FF8707521ABECA60CF2B009D76039523782C0C34F78B53B
18122025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\DXRedist\DXSETUP.exeexecutable
MD5:DDCE338BB173B32024679D61FB4F2BA6
SHA256:046041ABA6BA77534C36BB0C2496408D23C6A09F930C46B392F1EDC70DFD66DE
18122025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\DXRedist\dxdllreg_x86.cabcompressed
MD5:A025C67403DC2C2BCD709AA9435FAEB1
SHA256:8AD77A4D9C76F65CD62337588F847CC1E0CA6CA9735937F3A781F7395E9566A1
18122025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\InstallLauncher\ICSharpCode.SharpZipLib.dllexecutable
MD5:57B28995B181B82D51910501203DEE97
SHA256:AA6EF252580AEADA967452B13B41475BD64BE49430522FA5054AD1A3F881B371
18122025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\InstallLauncher\MiscUtil.dllexecutable
MD5:AB8AA03F734143F13F2EA89D503B5E73
SHA256:ACF34BAB8D71963D020D40B04C86653CB0826B1E4F3A38498FB06D65767D8233
18122025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\InstallLauncher\config.inibinary
MD5:B7AC82425E76F541DD1D0A9FFD311B2F
SHA256:A8D826D794FCC2D9E3C39394EEA0BA887F78293B76EC0C7BC763B61B50AD42EF
18122025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exeC:\Users\admin\AppData\Local\Temp\{BCBA8581-F6C1-40C5-BEEB-74402F51DC3D}\DXRedist\DSETUP.dllexecutable
MD5:9E0711BED229B60A853BCC5D10DEAAFC
SHA256:DEF6F245762BE36CF18B435BA8B7EBC224B9C21D1A1DB606A8E8FAFDAA97BBA0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
36
DNS requests
16
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
GET
403
96.126.123.244:80
http://www.aieov.com/logo.gif
unknown
malicious
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
GET
403
96.126.123.244:80
http://www.aieov.com/logo.gif
unknown
malicious
5084
Installer.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
unknown
whitelisted
1188
DXSETUP.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
unknown
whitelisted
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
GET
403
96.126.123.244:80
http://www.aieov.com/logo.gif
unknown
malicious
5084
Installer.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEQDlbaoIIFVeoDeSWE87Wync
unknown
whitelisted
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
GET
403
96.126.123.244:80
http://www.aieov.com/logo.gif
unknown
malicious
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
GET
403
96.126.123.244:80
http://www.aieov.com/logo.gif
unknown
malicious
5084
Installer.exe
GET
195.22.144.89:80
http://pdc-live-launcherhost.ubi.com/Launcher/Launcher.application
unknown
whitelisted
5084
Installer.exe
POST
195.22.144.89:80
http://pdc-live-launcherhost.ubi.com/UpdateService/UpdateService.svc/Tracking
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
96.126.123.244:80
www.aieov.com
Linode, LLC
US
malicious
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1188
DXSETUP.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
5084
Installer.exe
104.18.38.233:80
ocsp.usertrust.com
CLOUDFLARENET
whitelisted
5084
Installer.exe
172.64.149.23:80
ocsp.usertrust.com
CLOUDFLARENET
US
whitelisted
5084
Installer.exe
195.22.144.89:80
pdc-live-launcherhost.ubi.com
Ubisoft International SAS
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 216.58.212.142
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 96.126.123.244
  • 45.56.79.23
  • 45.33.2.79
  • 198.58.118.167
  • 45.33.23.183
  • 45.33.18.44
  • 72.14.178.174
  • 45.79.19.196
  • 45.33.20.235
  • 45.33.30.197
  • 72.14.185.43
  • 173.255.194.134
malicious
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
crl.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
pdc-live-launcherhost.ubi.com
  • 195.22.144.89
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
1812
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
5084
Installer.exe
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-02-27_5ede1711fdd104fd06cf464610f324c3_floxif_icedid