floxif | 2fd8b84d9583c00eabe559aaa2347e657a34ca34c3927fe0ce31959b8d362fdd

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
Size

14.4MB
MD5

d8efab44ee8888396e9001774bcfabfe
SHA1

6d22a7bb86e216be35a0272733e73ba995b3583a
SHA256

2fd8b84d9583c00eabe559aaa2347e657a34ca34c3927fe0ce31959b8d362fdd
SHA512

f7c3dd1a63b12daaedc2c79f56557b288a60f5c3f01b3260395d4424c69aff22b5220db22be67ef02e842dab4e294c94773f1a9ea4771e364b35c0d371332fde
SSDEEP

98304:8TatQIZETGdOfW0+bs0ZmjBjcaw2lsuze/iBXsLVMZHvOyGCPvPZFDByQNdXCd0I:8it30t0u/Zk2hXCd0LWkVgeXSL

Score

10^/10

floxif backdoor discovery phishing trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023bf9-1.dat	floxif

A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023bf9-1.dat	acprotect

Loads dropped DLL 1 IoCs

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

pid	Process
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

description	ioc	Process
File opened (read-only)	\??\e:	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

pid	Process
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3480-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x000a000000023bf9-1.dat	upx
behavioral2/memory/3480-49-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3480-79-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Toast.gom = "11000"	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	Process
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
3644	msedge.exe
3644	msedge.exe
2548	msedge.exe
2548	msedge.exe
4360	identity_helper.exe
4360	identity_helper.exe
6140	msedge.exe
6140	msedge.exe
6140	msedge.exe
6140	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid	Process
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

description	pid	Process
Token: SeDebugPrivilege	3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exemsedge.exe

pid	Process
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exemsedge.exe

pid	Process
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

pid	Process
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exemsedge.exe

description	pid	Process	procid_target
PID 3480 wrote to memory of 2548	3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe	92
PID 3480 wrote to memory of 2548	3480	2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe	92
PID 2548 wrote to memory of 5108	2548	msedge.exe	93
PID 2548 wrote to memory of 5108	2548	msedge.exe	93
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 2720	2548	msedge.exe	94
PID 2548 wrote to memory of 3644	2548	msedge.exe	95
PID 2548 wrote to memory of 3644	2548	msedge.exe	95
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96
PID 2548 wrote to memory of 4396	2548	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_d8efab44ee8888396e9001774bcfabfe_bkransomware_floxif_hijackloader.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://playinfo.gomlab.com/ending_browser.gom?product=GOMPLAYER
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffec75c46f8,0x7ffec75c4708,0x7ffec75c4718
    3⤵
    PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
    3⤵
    PID:2720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
    3⤵
    PID:4396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
    3⤵
    PID:1248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
    3⤵
    PID:2276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
    3⤵
    PID:4688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:2172
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8
    3⤵
    PID:1748
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
    3⤵
    PID:5104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
    3⤵
    PID:5048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
    3⤵
    PID:1420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
    3⤵
    PID:1828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,1613462914743205945,7211199200825747937,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
33ecc1eba7b94fc8c10aa193904f9c1c

SHA1
8772fbd6d23b18536aca9551aa03cfac05d83dff

SHA256
5260b65b226763182c36115c66b28697053428c05e1c79eb15f3083faa291a30

SHA512
4070e555438f1d85a06263447dc477e02631018a74681374ac93a08c467bf67340d4244654ef18c5bdff16ecce974e8a3c35ada71711e88fe0cf5f6bee656dad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d91d8c2e3132dddf1baf0958ae3588f9

SHA1
9185e9b88a7957f4b9d05e71e072a3edc0b17a7a

SHA256
fad3bef68b88d7543f319dd647aee7f318b58dad24d556273b5441af4230779c

SHA512
9c9694e78545d1c871c46782b389816ddd9201861bac9e5fb1ed230d5909a7cfdf286b6988ffad8e3a846c1bb577c887d4613e3feac35cf27dfd07530bb5d85e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
806cba57e12a41eee8fa310ab2d425f8

SHA1
faaa0a8d0010344f3e47a43513fb79bf1d4640eb

SHA256
0f930fcbc2ab3ae24b573ed555f778efe50db71e3105076f35d05ff10ec9cd69

SHA512
d4ed79bf632f74f731ea6b50031f52ce451410ff648f9a9d4d1140e929d40bf094c9f0fdfab5fc31952f03db2955dca621e350b35e980766d6ab2a3cd12af3a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
61fa626283a6e53ede4dea29624c2feb

SHA1
ac1763451b2fb711a11d02a4950eb9fc3878dffb

SHA256
dec42e043d5d194ac48fe2e5a03c441f5863499de3764d0045c86aa439753ba3

SHA512
aa8f5b117c99255e667dafd5c44f32f4732d26c4de3ad04c8131c7e0f022f61fbfe0a4c9f0c7de8bb2aed669130656445699cbd428ab3967167c593661be84a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e708502d73877a4a34418af54e53ea7a

SHA1
a8067d48854106cb29fe1ab5f6e030a1bae50f9d

SHA256
04021d60b9e27a7664c2c4fc203271fb4437305d97c9fa7eaa83407151065fe1

SHA512
532c42c1e86e269c85a5007f2708c7c34f1fe9ff6b9c9771332e044d89a5ea8f51a28d06404a43e23ed5a6f14f291e4d1caf8425dfc7f5d0fe3a73cb71bd5061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
186d538bcf8b210d1b310cde7e62a6db

SHA1
4730e369c6712a8f1a137e600aeb4cbc490093b7

SHA256
7f27b7f8f9bfed2a39c674a38e7c20ae6569388e06e00bded7121a095421317e

SHA512
35a7e7c76624494e4240b9161108d2737e94eed2d01e8eb40bbb6e9b9a26295d06d48f574008995191ef6bbab2c6f435533b81f651b45c3914dcf38ae906302d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58532c.TMP

Filesize
48B

MD5
33945441fe781a65b74a694cff794234

SHA1
09fd087ebba5c84fa89f1c64033c8ddfa27fd1f6

SHA256
a1cb52e14388e6b59409d68bbe737e2d42c0f4518cf15fa8920c1fcaa3dae4c7

SHA512
761bb7126e69f18e134373a8653b87e16eb6b98d59017eec2369e2bb451c8e1d41c92fc2fe1e4bf1734a0991f8a845c167d8bad38160ceb081dbe3853e85141f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b914b11a59dd9b9579e93a326a7765df

SHA1
05efafb525d16f06e96c73159900c99c7a8c5ff0

SHA256
eadee82c108d0437af9c6a5681003bb3a478db90e0bcf833629f5f2e86e36dbe

SHA512
ce0dab6321428fbed121749b3ef8066c19787f805f94670c52e97db9538a8811323ce17c9864038834bac4083e6d170142d65989b492165d64d8afe24c6ef6b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5842b1.TMP

Filesize
872B

MD5
52150356e55b01e61394365803602d79

SHA1
262b1db3a08f1aa529b460fd824c43f9be3c0e02

SHA256
7f753e379dc0c854ec617529fed02c6e3dc2d33cbf3b7beef151f38eccb39602

SHA512
85e54ad4b913546e204d7f4650e8d6d1cebf2a463e96c8f2edde33db4052a56b9432d4c48703e8dc82b27cdaf1942e58746e3ae30955f0f811149ed3c1dbc35e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f8ffd389392c3b8259dd9e0df0cd4ff0

SHA1
067141a45866bdca16b98591e87a807e9b31ab34

SHA256
d51360d804016d41056819c146bcc1c6dcebea36eb244802c74035c2d1f60a91

SHA512
eeb29a153658f4f6130ea14aff13045755e60ede244d0078b566964e17024fa290e028d7c4024d5e459503ac24bc83a5aa4e6736e3453271200dba8bcb7d22cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\BEBCF4CD98.tmp

Filesize
14.3MB

MD5
7740b91aa5877cd86117db93dc5b0426

SHA1
b02a401b86aaa41768a15e4f027dccb812341fb7

SHA256
44df3a987ad432ea7942d8923dd2a8e29f3204119274ace5b0c5181838557564

SHA512
88890d8956872c8369ed2b3ede2349ae7021a770182dc3904f1ed983ae006355067d294abd0c5d77fc40c20cbad9e33e76bb29fd4d778f11079926bbc58e810f

Download Submit
\??\pipe\LOCAL\crashpad_2548_HDZOHHLOMXFLAUZX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3480-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3480-47-0x0000000000460000-0x00000000012D4000-memory.dmp

Filesize
14.5MB

Download
memory/3480-77-0x0000000000460000-0x00000000012D4000-memory.dmp

Filesize
14.5MB

Download
memory/3480-79-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3480-49-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download