Analysis Overview
SHA256
704f980fd23351d44ff8751a6fa161caf409639f6a46fac0e261e6b606967cfb
Threat Level: Known bad
The file 2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader was found to be: Known bad.
Malicious Activity Summary
Floxif family
Floxif, Floodfix
Detects Floxif payload
Event Triggered Execution: AppInit DLLs
A potential corporate email address has been identified in the URL: [email protected]
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Drops file in Program Files directory
Browser Information Discovery
System Location Discovery: System Language Discovery
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 12:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 12:30
Reported
2024-11-11 12:33
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | playinfo.gomlab.com | udp |
| US | 8.8.8.8:53 | log.gomlab.com | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 54.173.103.48:80 | log.gomlab.com | tcp |
| GB | 18.172.88.22:443 | playinfo.gomlab.com | tcp |
| GB | 18.172.88.22:443 | playinfo.gomlab.com | tcp |
| GB | 18.172.88.22:443 | playinfo.gomlab.com | tcp |
| GB | 18.172.88.22:443 | playinfo.gomlab.com | tcp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.79.19.196:80 | www.aieov.com | tcp |
| GB | 18.172.88.22:443 | playinfo.gomlab.com | tcp |
| GB | 18.172.88.22:443 | playinfo.gomlab.com | tcp |
| GB | 18.172.88.22:443 | playinfo.gomlab.com | tcp |
| GB | 18.172.88.22:443 | playinfo.gomlab.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
Files
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/2676-3-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A1D26E2\A1CB95CA74.tmp
| MD5 | 7740b91aa5877cd86117db93dc5b0426 |
| SHA1 | b02a401b86aaa41768a15e4f027dccb812341fb7 |
| SHA256 | 44df3a987ad432ea7942d8923dd2a8e29f3204119274ace5b0c5181838557564 |
| SHA512 | 88890d8956872c8369ed2b3ede2349ae7021a770182dc3904f1ed983ae006355067d294abd0c5d77fc40c20cbad9e33e76bb29fd4d778f11079926bbc58e810f |
C:\Users\Admin\AppData\Local\Temp\CabA508.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarA624.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2676-83-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2676-82-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2676-81-0x0000000000900000-0x0000000001774000-memory.dmp
memory/2676-87-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2676-85-0x0000000000900000-0x0000000001774000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 12:30
Reported
2024-11-11 12:33
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: AppInit DLLs
A potential corporate email address has been identified in the URL: [email protected]
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Toast.gom = "11000" | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_d4d8d97c253668da0a3156954fcaa380_bkransomware_floxif_hijackloader.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://playinfo.gomlab.com/ending_browser.gom?product=GOMPLAYER
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8db4446f8,0x7ff8db444708,0x7ff8db444718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10616516867711770505,2229785551179884561,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2776 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 96.126.123.244:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.123.126.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | playinfo.gomlab.com | udp |
| GB | 18.172.88.117:443 | playinfo.gomlab.com | tcp |
| US | 8.8.8.8:53 | log.gomlab.com | udp |
| US | 54.173.103.48:80 | log.gomlab.com | tcp |
| US | 8.8.8.8:53 | 117.88.172.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.103.173.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 96.126.123.244:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 96.126.123.244:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| GB | 18.172.88.117:443 | playinfo.gomlab.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | playinfo.gomlab.com | udp |
| GB | 18.172.88.50:443 | playinfo.gomlab.com | tcp |
| US | 8.8.8.8:53 | www.gomlab.com | udp |
| GB | 3.162.20.24:443 | www.gomlab.com | tcp |
| US | 8.8.8.8:53 | 50.88.172.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.20.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| GB | 3.162.20.24:443 | www.gomlab.com | tcp |
| GB | 3.162.20.24:443 | www.gomlab.com | tcp |
| GB | 3.162.20.24:443 | www.gomlab.com | tcp |
| GB | 3.162.20.24:443 | www.gomlab.com | tcp |
| GB | 3.162.20.24:443 | www.gomlab.com | tcp |
| US | 8.8.8.8:53 | 200.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wsa.mig-log.com | udp |
| KR | 3.38.213.81:443 | wsa.mig-log.com | tcp |
| KR | 3.38.213.81:443 | wsa.mig-log.com | tcp |
| US | 8.8.8.8:53 | s3.ap-northeast-2.amazonaws.com | udp |
| KR | 52.219.58.129:443 | s3.ap-northeast-2.amazonaws.com | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | static.ads-twitter.com | udp |
| US | 8.8.8.8:53 | dmp.im-apps.net | udp |
| US | 8.8.8.8:53 | analytics.tiktok.com | udp |
| GB | 146.75.72.157:443 | static.ads-twitter.com | tcp |
| GB | 95.100.104.12:443 | analytics.tiktok.com | tcp |
| GB | 163.70.151.21:443 | connect.facebook.net | tcp |
| GB | 2.22.249.207:443 | dmp.im-apps.net | tcp |
| KR | 52.219.58.129:443 | s3.ap-northeast-2.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 81.213.38.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.72.75.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.104.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.249.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.58.219.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 8.8.8.8:53 | analytics.twitter.com | udp |
| US | 162.159.140.229:443 | t.co | tcp |
| US | 104.244.42.195:443 | analytics.twitter.com | tcp |
| US | 8.8.8.8:53 | sync6.im-apps.net | udp |
| GB | 2.22.249.39:443 | sync6.im-apps.net | tcp |
| US | 8.8.8.8:53 | b6.im-apps.net | udp |
| KR | 3.38.213.81:443 | wsa.mig-log.com | tcp |
| US | 34.111.123.165:443 | b6.im-apps.net | tcp |
| US | 8.8.8.8:53 | 229.140.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.249.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.123.111.34.in-addr.arpa | udp |
| KR | 3.38.213.81:443 | wsa.mig-log.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | bat.bing.com | udp |
| US | 8.8.8.8:53 | s.yimg.jp | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 150.171.27.10:443 | bat.bing.com | tcp |
| JP | 183.79.219.124:443 | s.yimg.jp | tcp |
| US | 216.239.32.36:443 | region1.analytics.google.com | tcp |
| US | 34.111.123.165:443 | b6.im-apps.net | udp |
| US | 8.8.8.8:53 | www.clarity.ms | udp |
| US | 13.107.246.65:443 | www.clarity.ms | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| JP | 183.79.219.124:443 | s.yimg.jp | tcp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| GB | 172.217.169.34:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.204.67:443 | www.google.co.uk | tcp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| GB | 172.217.169.34:443 | googleads.g.doubleclick.net | udp |
| BE | 66.102.1.157:443 | stats.g.doubleclick.net | tcp |
| GB | 216.58.204.67:443 | www.google.co.uk | udp |
| US | 8.8.8.8:53 | repository.secomtrust.net | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.219.79.183.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.1.102.66.in-addr.arpa | udp |
| JP | 61.114.177.151:80 | repository.secomtrust.net | tcp |
| JP | 61.114.177.151:80 | repository.secomtrust.net | tcp |
| US | 8.8.8.8:53 | atb.im-apps.net | udp |
| US | 35.241.35.91:443 | atb.im-apps.net | tcp |
| US | 8.8.8.8:53 | atm.im-apps.net | udp |
| US | 8.8.8.8:53 | insight.adsrvr.org | udp |
| US | 3.33.220.150:443 | insight.adsrvr.org | tcp |
| US | 34.120.216.28:443 | atm.im-apps.net | tcp |
| US | 8.8.8.8:53 | b.clarity.ms | udp |
| US | 4.153.129.168:443 | b.clarity.ms | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | b.im-apps.net | udp |
| US | 34.49.1.209:443 | b.im-apps.net | tcp |
| US | 4.153.129.168:443 | b.clarity.ms | tcp |
| US | 8.8.8.8:53 | 28.216.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.220.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.35.241.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.177.114.61.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.129.153.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.1.49.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.clarity.ms | udp |
| IE | 13.74.129.1:443 | c.clarity.ms | tcp |
| US | 8.8.8.8:53 | 8941176.fls.doubleclick.net | udp |
| GB | 142.250.200.6:443 | 8941176.fls.doubleclick.net | tcp |
| US | 8.8.8.8:53 | c.bing.com | udp |
| US | 13.107.21.237:443 | c.bing.com | tcp |
| GB | 142.250.200.6:443 | 8941176.fls.doubleclick.net | udp |
| US | 8.8.8.8:53 | 1.129.74.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 226.16.217.172.in-addr.arpa | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 4.153.129.168:443 | b.clarity.ms | tcp |
| US | 4.153.129.168:443 | b.clarity.ms | tcp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 4.153.129.168:443 | b.clarity.ms | tcp |
| US | 8.8.8.8:53 | b.clarity.ms | udp |
| US | 4.153.129.168:443 | b.clarity.ms | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 4.153.129.168:443 | b.clarity.ms | tcp |
| US | 4.153.129.168:443 | b.clarity.ms | tcp |
Files
memory/748-3-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
C:\Users\Admin\AppData\Local\Temp\A1D26E2\AC1EC442EC.tmp
| MD5 | 7740b91aa5877cd86117db93dc5b0426 |
| SHA1 | b02a401b86aaa41768a15e4f027dccb812341fb7 |
| SHA256 | 44df3a987ad432ea7942d8923dd2a8e29f3204119274ace5b0c5181838557564 |
| SHA512 | 88890d8956872c8369ed2b3ede2349ae7021a770182dc3904f1ed983ae006355067d294abd0c5d77fc40c20cbad9e33e76bb29fd4d778f11079926bbc58e810f |
memory/748-51-0x0000000010000000-0x0000000010030000-memory.dmp
memory/748-49-0x0000000000B50000-0x00000000019C4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d22073dea53e79d9b824f27ac5e9813e |
| SHA1 | 6d8a7281241248431a1571e6ddc55798b01fa961 |
| SHA256 | 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6 |
| SHA512 | 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413 |
memory/748-64-0x0000000010000000-0x0000000010030000-memory.dmp
memory/748-62-0x0000000000B50000-0x00000000019C4000-memory.dmp
\??\pipe\LOCAL\crashpad_4948_ZDRRNTHXGSHBCZVS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bffcefacce25cd03f3d5c9446ddb903d |
| SHA1 | 8923f84aa86db316d2f5c122fe3874bbe26f3bab |
| SHA256 | 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405 |
| SHA512 | 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f9ce546cf5a66c7bd09e64a285f0e552 |
| SHA1 | 250c4566ceffc0b094e528a41296000dfb4b5c52 |
| SHA256 | 25829ce0b4713a1c5bb6acb7abd425ff490b7647bb48b38a4456342f71cde049 |
| SHA512 | c694de5f637307695631cf0b1ec292e44ebd42bfa35fcdf447f58e8f03142e98c21bbc588588d84149cea90ca5688d7eef2984596f51e21c62fda7bbe3b68ef4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b922fd30dcaa13007f8d9f2315a13da5 |
| SHA1 | d325849bbba0d8028164e5b94ee83e75193e255d |
| SHA256 | 53c335afea2df1c9392b8b2cd9a5e304235d93c3bae51b5b16c0a67f7fc5da14 |
| SHA512 | 5c6e7afe16c926e60e10a5c220dcabf1903622ee32c8e527aa587267dd498059939e9a5b906c086c7c3c38882507625d37414c5dc4626f83720a4c08beeace6a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 37c1c7339def9cd643015b1c5a61e32b |
| SHA1 | 6f42f1c17fd45f662bde20e0f5f5ce6dad1fe16f |
| SHA256 | b4bb958fd0625248e80c20503a0fd5ab3c4402f86b99837942388272d2edd331 |
| SHA512 | 4de0e2e78bddcfe5447c88cb9372da1e7327bbaf2a246096e4d19e586acc42eef1e3f7336bcefcfd72aa6621437c037ea556dabdfdfdcbb302e5bd5b0621d523 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 6a01cd51d0f8bae26500de4130fecc5b |
| SHA1 | 93ab4c5ed3b7bfad441102e97ab15299e9c1bc27 |
| SHA256 | 19ebdb7df271d37fc046da1f8b41a4bb72b4bd55b79d80a90ef990b88ab594af |
| SHA512 | fecd2fe768e8228b98df79ba0ddd43ac5595264ee30a1323737a1055c0efc42dd6ede04a797e284344e90d0f7a9bd70ccc440c79c3f7e4e345d9650cd3cfe19a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58340b.TMP
| MD5 | e817c5e10c50a4b5c3f15c1f51d50673 |
| SHA1 | 055b7a564b20a546789a808214b5afe68917a3cd |
| SHA256 | 23665b4970c8d3ad23021735d9e25aab36242abc1f4a599f4c8bd92b1a837d13 |
| SHA512 | e9fe15e5d0df2aa4f6a76bc67e779eef3de79837f16abfe47e4e57a44300528292f3b4a11890c42c901f4c0db2191f56904d64123e716d8201a041e63de1c73c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2afd54189a17473c33b600f14ecb4540 |
| SHA1 | 41be6a02873ada0feae415b8b8af890b6194a974 |
| SHA256 | 9056eb5c8a9a7394da86f67bac7b0bc078fd817b7ca34af27b89f4078489fcac |
| SHA512 | b57ce9100fcbcf8d140187fa5c96c2b6e0449f8df681db2f3ead421da1e3a27e72ed26eafaba5c23065a097b4d3fefc643b2ce322c3e6c4d4fc79d8f18d71a25 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | db643cf4260cb28166695e1cd2abff9b |
| SHA1 | 50056dfc53db5c327a3c47922f994d4a6b94a762 |
| SHA256 | bdcb5f651e49a273b69fc6a39007afc40cce0f5f9392c7350a5730fe728a8435 |
| SHA512 | 89f971c49d4aba205fdb4be09eef73a534d38f55164b9f25a837aa2848766e6a04c8bc022ca8caf828d0a06eeb706a07cc4d41edf4d222383e64073660973f15 |