Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 12:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe
-
Size
14.4MB
-
MD5
d4d8d97c253668da0a3156954fcaa380
-
SHA1
c4d9d6d3ddf675d0899ba7abad8e6f7c34cd756a
-
SHA256
704f980fd23351d44ff8751a6fa161caf409639f6a46fac0e261e6b606967cfb
-
SHA512
8a54a5dfca3c8bb0e21ba2ad3d5cbe425a40c9bddef1ba59daec6b5b9807c864c9ae59252e0a1b958bc5210a372494bee08383e24484fdd46e0e972e2737bf08
-
SSDEEP
98304:8TatQIZETGdOfW0+bs0ZmjBjcaw2lsuze/iBXsLVMZHvOyGCPvPZODByQNdXCd00:86t30t0u/Zk28XCd0LWkVgeXSL
Malware Config
Signatures
-
Floxif family
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x000c000000023b35-1.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
A potential corporate email address has been identified in the URL: [email protected]
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000c000000023b35-1.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe -
resource yara_rule behavioral2/memory/748-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/files/0x000c000000023b35-1.dat upx behavioral2/memory/748-51-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/748-64-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe File created \??\c:\program files\common files\system\symsrv.dll.000 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Toast.gom = "11000" 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe 2736 msedge.exe 2736 msedge.exe 4948 msedge.exe 4948 msedge.exe 1248 identity_helper.exe 1248 identity_helper.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 748 wrote to memory of 4948 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe 97 PID 748 wrote to memory of 4948 748 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe 97 PID 4948 wrote to memory of 2784 4948 msedge.exe 98 PID 4948 wrote to memory of 2784 4948 msedge.exe 98 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 3608 4948 msedge.exe 99 PID 4948 wrote to memory of 2736 4948 msedge.exe 100 PID 4948 wrote to memory of 2736 4948 msedge.exe 100 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101 PID 4948 wrote to memory of 1020 4948 msedge.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://playinfo.gomlab.com/ending_browser.gom?product=GOMPLAYER2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8db4446f8,0x7ff8db444708,0x7ff8db4447183⤵PID:2784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:83⤵PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:13⤵PID:3636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:13⤵PID:852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:13⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:13⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:83⤵PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:13⤵PID:1324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:13⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:13⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:13⤵PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2776 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4220
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize912B
MD52afd54189a17473c33b600f14ecb4540
SHA141be6a02873ada0feae415b8b8af890b6194a974
SHA2569056eb5c8a9a7394da86f67bac7b0bc078fd817b7ca34af27b89f4078489fcac
SHA512b57ce9100fcbcf8d140187fa5c96c2b6e0449f8df681db2f3ead421da1e3a27e72ed26eafaba5c23065a097b4d3fefc643b2ce322c3e6c4d4fc79d8f18d71a25
-
Filesize
4KB
MD5db643cf4260cb28166695e1cd2abff9b
SHA150056dfc53db5c327a3c47922f994d4a6b94a762
SHA256bdcb5f651e49a273b69fc6a39007afc40cce0f5f9392c7350a5730fe728a8435
SHA51289f971c49d4aba205fdb4be09eef73a534d38f55164b9f25a837aa2848766e6a04c8bc022ca8caf828d0a06eeb706a07cc4d41edf4d222383e64073660973f15
-
Filesize
5KB
MD5f9ce546cf5a66c7bd09e64a285f0e552
SHA1250c4566ceffc0b094e528a41296000dfb4b5c52
SHA25625829ce0b4713a1c5bb6acb7abd425ff490b7647bb48b38a4456342f71cde049
SHA512c694de5f637307695631cf0b1ec292e44ebd42bfa35fcdf447f58e8f03142e98c21bbc588588d84149cea90ca5688d7eef2984596f51e21c62fda7bbe3b68ef4
-
Filesize
9KB
MD537c1c7339def9cd643015b1c5a61e32b
SHA16f42f1c17fd45f662bde20e0f5f5ce6dad1fe16f
SHA256b4bb958fd0625248e80c20503a0fd5ab3c4402f86b99837942388272d2edd331
SHA5124de0e2e78bddcfe5447c88cb9372da1e7327bbaf2a246096e4d19e586acc42eef1e3f7336bcefcfd72aa6621437c037ea556dabdfdfdcbb302e5bd5b0621d523
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD56a01cd51d0f8bae26500de4130fecc5b
SHA193ab4c5ed3b7bfad441102e97ab15299e9c1bc27
SHA25619ebdb7df271d37fc046da1f8b41a4bb72b4bd55b79d80a90ef990b88ab594af
SHA512fecd2fe768e8228b98df79ba0ddd43ac5595264ee30a1323737a1055c0efc42dd6ede04a797e284344e90d0f7a9bd70ccc440c79c3f7e4e345d9650cd3cfe19a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58340b.TMP
Filesize48B
MD5e817c5e10c50a4b5c3f15c1f51d50673
SHA1055b7a564b20a546789a808214b5afe68917a3cd
SHA25623665b4970c8d3ad23021735d9e25aab36242abc1f4a599f4c8bd92b1a837d13
SHA512e9fe15e5d0df2aa4f6a76bc67e779eef3de79837f16abfe47e4e57a44300528292f3b4a11890c42c901f4c0db2191f56904d64123e716d8201a041e63de1c73c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5b922fd30dcaa13007f8d9f2315a13da5
SHA1d325849bbba0d8028164e5b94ee83e75193e255d
SHA25653c335afea2df1c9392b8b2cd9a5e304235d93c3bae51b5b16c0a67f7fc5da14
SHA5125c6e7afe16c926e60e10a5c220dcabf1903622ee32c8e527aa587267dd498059939e9a5b906c086c7c3c38882507625d37414c5dc4626f83720a4c08beeace6a
-
Filesize
14.3MB
MD57740b91aa5877cd86117db93dc5b0426
SHA1b02a401b86aaa41768a15e4f027dccb812341fb7
SHA25644df3a987ad432ea7942d8923dd2a8e29f3204119274ace5b0c5181838557564
SHA51288890d8956872c8369ed2b3ede2349ae7021a770182dc3904f1ed983ae006355067d294abd0c5d77fc40c20cbad9e33e76bb29fd4d778f11079926bbc58e810f