floxif | 848a30813af6b5ee7b8c4613cd305df89a0b1d539c199fe49afd322f8d3f9ba1

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
Size

14.4MB
MD5

f7ecab8e4e4d31561a85fae83426a508
SHA1

5ed0adf3bd13234aeb6b73e8c458e75b6c6b8e01
SHA256

848a30813af6b5ee7b8c4613cd305df89a0b1d539c199fe49afd322f8d3f9ba1
SHA512

0fc5d64c304d49f2f01ffd5780bb67ad48b3580aae3e0d082aee1911cafbc0bf0d58520779fc22444792fc560ed93cd3d4b8989899c0753dde6265d28ce07a0f
SSDEEP

98304:8pptQIZETGdOfW0+bs0ZmjBjcaw2lsuze/iBXsLVMZHvOyGCPvPZPDByQNdXCd0/:89t30t0u/Zk2/XCd0LWkVgeXSw

Score

10^/10

floxif backdoor discovery phishing trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000c000000023b3f-1.dat	floxif

A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b3f-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b3f-1.dat	upx
behavioral2/memory/4804-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4804-51-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4804-80-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Toast.gom = "11000"	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
3112	msedge.exe
3112	msedge.exe
1496	msedge.exe
1496	msedge.exe
4632	identity_helper.exe
4632	identity_helper.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 1496	4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe	94
PID 4804 wrote to memory of 1496	4804	2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe	94
PID 1496 wrote to memory of 4604	1496	msedge.exe	95
PID 1496 wrote to memory of 4604	1496	msedge.exe	95
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3552	1496	msedge.exe	96
PID 1496 wrote to memory of 3112	1496	msedge.exe	97
PID 1496 wrote to memory of 3112	1496	msedge.exe	97
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98
PID 1496 wrote to memory of 4140	1496	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://playinfo.gomlab.com/ending_browser.gom?product=GOMPLAYER
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8c1ba46f8,0x7ff8c1ba4708,0x7ff8c1ba4718
    3⤵
    PID:4604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
    3⤵
    PID:3552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
    3⤵
    PID:4140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:1280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:3596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
    3⤵
    PID:2884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
    3⤵
    PID:3428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
    3⤵
    PID:1356
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:8
    3⤵
    PID:1680
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
    3⤵
    PID:4276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
    3⤵
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
    3⤵
    PID:212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
    3⤵
    PID:2288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,18428318758095942525,9244709976053936405,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
9911be4c3a93077901c722bbfe6f5042

SHA1
a5da1df45e4518d8fdec1be4a3bafcd1dbf088b9

SHA256
ea16ab66ef72228a7af214f75b457ebfb9f5793a9394fd6e95926816e1006dd7

SHA512
4ef28a1ea1d22cf6dbff7e2f2a9776f2ac61e4b378274802f23834de5529018694a38b91b59ae3f411d1bf52058dd55cd9106cc5ff06920a750c8efe894bae9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ab86f69c49879b496c48ca99fdddfad2

SHA1
a026291c4735e5477c27872b3996fb1818b0123a

SHA256
321ccca1044fe73c454ea774d5e59ec35f8b601599a8150469b1976c0033cb0c

SHA512
1f7bd682954e8384413f606f35f8c637c179f5b70a3d3e5fe7097d2a1f096caf4615f5c7c39c4f33108853ce47631810f9a22a77cfafe0c2cd326ea0caeacc64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a343e8e9a1ae10eeb092d54cef226ce7

SHA1
7cefc5bf00e829ecde7cf7718f9aabc220a7090d

SHA256
3508ee20bd1868d03e9aa88587e9fb727007a50bbffce7ff6643bc6c0ef8a234

SHA512
7b93aac96db1aa408e912f0bc756e27acc167aa497b65553e73081acda6d7e7c541b3372330ab2e0520946c191265ed2d31cc8d14a6ed362e1eafd89453b2b6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
1c5294cf29a27b08aedfeb4674799dcb

SHA1
d2ba8401f33771a55e948843eabb6ed1dbd7d65f

SHA256
0dd257d80dcdf8e1a0c4241198a6d59708b4b04e594f980822743bdbcce75a0d

SHA512
73555614e9af39ee2b2ddcd863a487b329cee6c00b0c5fde73d6e5fa1a3b6626e064761156575e40054fcee2586495dcfcbc18bbe7e009694ec3975c2803a13a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5cfcb891539b62bdeb7d09d687c2f37b

SHA1
c3d8d5772aeaa6715e0fce3e67d720d2f3bbe616

SHA256
c69eb752de208da0d8153dd5e373fb71153f29a893650f952f01cf5cbc5186d1

SHA512
61bd72e56275f77469a0e98fe77a36e629aee9fd8e2f59967949fef300ff37dbf6190c649277c2150fd46388e65bf3e628908dbe245f55e1d7731dd90ecbdb36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c430c5b05210a6ad6df041914bd925ba

SHA1
cea1345ddaf32663c8371fcc32d50d3f70b9ec26

SHA256
524cf05338b8241b3ec3602317bd96810ed9dbd5d24f56b0887a4b5b7cef678a

SHA512
cdf635de82343848c01c5080dcdb584d0bf1d87d3e1924db329a5d7ced8e0d20cca29d9c47a96498d57e8c3d5f1ad0a306fa03c6d0813711f5ea47569e64d939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584428.TMP

Filesize
48B

MD5
3ea278cc23a78fdea2b29036f958f49d

SHA1
02edd0b46010325a00b80081a1bc4db47422616c

SHA256
65e1ca6728ad95a30f8dd934c52a7fb1c0e475cedb4b23315643649aab8f24cf

SHA512
36f1717bd2d13379043c52602c3d7581d0ff35e5fbf20d7abc48d6cfefdff55fbc9d2c3e05bfad623272ab399e23aa77586139e0b9e6f524567c5d96f3bec406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
83e99c670b377a982f8391d41b64361c

SHA1
e8f40dda30d9391f924f3c40227c9ecd36579da3

SHA256
666fe2eb7391b3387d9fb5ae0966b44d75661924162e97ebeeb755fa6ae0481e

SHA512
52855bc8a95cc2272c63dc24f68e550b4b3ec5759282322e793bbcd524b7799c9455ed3f87e2e4a8e4b84cc0c41f5f4b81bec5a8ed2a026029261b3912b52133

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\AE037DC12C4.tmp

Filesize
14.3MB

MD5
7740b91aa5877cd86117db93dc5b0426

SHA1
b02a401b86aaa41768a15e4f027dccb812341fb7

SHA256
44df3a987ad432ea7942d8923dd2a8e29f3204119274ace5b0c5181838557564

SHA512
88890d8956872c8369ed2b3ede2349ae7021a770182dc3904f1ed983ae006355067d294abd0c5d77fc40c20cbad9e33e76bb29fd4d778f11079926bbc58e810f

Download Submit
memory/4804-49-0x0000000000120000-0x0000000000F94000-memory.dmp

Filesize
14.5MB

Download
memory/4804-51-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4804-78-0x0000000000120000-0x0000000000F94000-memory.dmp

Filesize
14.5MB

Download
memory/4804-80-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4804-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download