Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/12/2024, 13:48
241210-q4kacaxjas 810/12/2024, 13:46
241210-q3gstswrgt 1010/12/2024, 13:44
241210-q1vxnssjgm 810/12/2024, 13:42
241210-qzx1mssjfj 8Analysis
-
max time kernel
82s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2024, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
a.html
Resource
win7-20240903-en
General
-
Target
a.html
-
Size
1KB
-
MD5
d5fb513907e0bf30fd3a61a2ecd4dd51
-
SHA1
edb774f15d961ada35f581d84d8faa5a47422850
-
SHA256
6764182453f39a713e142b15b917a28f06bdf57cbf75f537a38dc4213555598b
-
SHA512
c7f8e36e09fbf4d7b47c764090e368d9fd0eda8b30f60ea67c06b92c3af01b7749285f3ddafa109c08dbd14b0a78f1f82cfa4f18721ec66eb551c90567b60755
Malware Config
Signatures
-
Floxif family
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023d64-293.dat floxif -
Downloads MZ/PE file
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a000000023d64-293.dat acprotect -
Executes dropped EXE 6 IoCs
pid Process 4416 Floxif.exe 2580 Floxif.exe 1940 Floxif.exe 2556 Floxif.exe 4312 Floxif.exe 444 Floxif.exe -
Loads dropped DLL 6 IoCs
pid Process 2580 Floxif.exe 4416 Floxif.exe 1940 Floxif.exe 2556 Floxif.exe 4312 Floxif.exe 444 Floxif.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 70 raw.githubusercontent.com 71 raw.githubusercontent.com -
resource yara_rule behavioral2/files/0x000a000000023d64-293.dat upx behavioral2/memory/4416-295-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2580-294-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4416-298-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2580-301-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1940-313-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1940-316-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2556-336-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2556-339-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4312-342-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4312-345-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/444-373-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/444-376-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll Floxif.exe -
Program crash 6 IoCs
pid pid_target Process procid_target 660 2580 WerFault.exe 115 4392 4416 WerFault.exe 116 3980 1940 WerFault.exe 123 2492 2556 WerFault.exe 126 4712 4312 WerFault.exe 130 3288 444 WerFault.exe 133 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floxif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floxif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floxif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floxif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floxif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floxif.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 328014.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4084 msedge.exe 4084 msedge.exe 4440 msedge.exe 4440 msedge.exe 2724 identity_helper.exe 2724 identity_helper.exe 4712 msedge.exe 4712 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4416 Floxif.exe Token: SeDebugPrivilege 2580 Floxif.exe Token: SeDebugPrivilege 1940 Floxif.exe Token: SeDebugPrivilege 2556 Floxif.exe Token: SeDebugPrivilege 4312 Floxif.exe Token: SeDebugPrivilege 444 Floxif.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4440 wrote to memory of 1952 4440 msedge.exe 82 PID 4440 wrote to memory of 1952 4440 msedge.exe 82 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 3732 4440 msedge.exe 83 PID 4440 wrote to memory of 4084 4440 msedge.exe 84 PID 4440 wrote to memory of 4084 4440 msedge.exe 84 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85 PID 4440 wrote to memory of 2728 4440 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\a.html1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe93e646f8,0x7ffe93e64708,0x7ffe93e647182⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:22⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:82⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:1272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:12⤵PID:3020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5908 /prefetch:82⤵PID:4092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:12⤵PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 /prefetch:82⤵PID:1128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,2630418438187652466,1104212053849575592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 4323⤵
- Program crash
PID:660
-
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 4323⤵
- Program crash
PID:4392
-
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 3083⤵
- Program crash
PID:3980
-
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 4003⤵
- Program crash
PID:2492
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2724
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4416 -ip 44161⤵PID:2556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2580 -ip 25801⤵PID:3520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1940 -ip 19401⤵PID:2300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2556 -ip 25561⤵PID:4432
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4236
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1922⤵
- Program crash
PID:4712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4312 -ip 43121⤵PID:448
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 4002⤵
- Program crash
PID:3288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 444 -ip 4441⤵PID:4872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5ccf7e487353602c57e2e743d047aca36
SHA199f66919152d67a882685a41b7130af5f7703888
SHA256eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914
SHA512dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
1KB
MD5afd46e95cea611ec7cd831999514f927
SHA1263e558d51bc64dbc5175d7686d0a2baa0dda354
SHA256362babac9aa9eb2f42449703bcf657360d0b7cedfbcb99df88c4b1c6505e48fd
SHA5120c77d9e561840eda386d8348c84af2ee6658c11df88cb082bad6f2764c2c6e3604993df946f3a94e6077695282982a8a767cfe76838d135221b6ddcc788326ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD54f8f4fef7b3186feaf09eed6e0338a65
SHA1a5d117c39f9fe10f08da51318c26cc44a92f75e0
SHA25665f5925cd9e89828f7565cd45ebec3302f2453416ca5d078d3a3fc8a1545c489
SHA5126a896d3e376ee82ddf3388ca23168b3685bc62755bcf23e42ecbba03f0db5b8f6c835aeb09693f45d9c24ea02145f5fdba052ae574e371875f2adbc5f59cac5e
-
Filesize
579B
MD5ed5f4213c17629776cd75510648fc019
SHA1ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9
SHA256e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87
SHA51271bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627
-
Filesize
5KB
MD511c805abb9f161ee348c5de55a0586da
SHA1e8205f96695dc20cda255f7c4ad95ebeaa72586a
SHA25629a0765422243bac797a72d2e583edf3231ccc9feb64451f794cc88fd152b020
SHA512c441d9868cf902b8bafd35fd638d97bdd11ebd9d63f98c1332e33f7afeefaa055458005a82b271124891ded2b884dc84d34bf20318ed1922fbb1d4180fb3cdac
-
Filesize
6KB
MD5098a07b9f18ffef4ee526fb3f4cb29f3
SHA14220b98341392cd4ae7d0b8c9c1fb1007d78bf06
SHA2560d220f28e13d0e63bedd45798f6300ec92c85cc6e2aedad5face8ddc6f5555b7
SHA512c750901e21085c1d0168bbf0bdbc24ed6b59ea6391c850ba19c19b7f57c9d80db6b8441ac5d65641afb3a0f4327859c593717e92ed77d3ac5f2ec04222968321
-
Filesize
6KB
MD58fa766246c0614b576f8b3b52e358a6b
SHA16649df1b6608cb9b2c6a99a723230f92793cf417
SHA256d1861b151e090c0bd2e4c9bdbbd8b134de8ac8171adf7731c2c2edb102f87cdb
SHA51279670f561f2b18b08d72df1943c14e23d46ae6277a4cbc534308d7b3172c76c443ec4f5d0dacf00e953b2382c30e845ffac659fee2a0f1f884bd6d8b04420d09
-
Filesize
6KB
MD5679db884a57b98221d3c910734d8dfb4
SHA1b89bb2a0312dc3880c684940843d1b1650fc8d8e
SHA2564e8991e7ce6ccfbfa5418d0cd98aa389e18b5cd290e8741e56ad86a9402c5b5c
SHA51284f9364ef24c0c9ad1a892e2382368ca0e736fd857713d0ecdaeb6e3e90646fed4aed0efb78d8dc53fae5dca9b90d36a49f95729d1d5949f2bfd25c838128a0f
-
Filesize
1KB
MD59d5f62ec298b706ff9faeab6c7b736b0
SHA1412f9a7fe76093c1bad1d8d8f13c5268d9d7c8c8
SHA256360b24ec59373ae5fb7d3fd27c7a54717bc6ab3396988960f68722780fd16577
SHA51285a7cd83e2ec931d62a4bad11856b35f9c1bb769adedb33f61c3037d7ea1861d5f03ab7318dad6334fea54ea35703ddd4b11294a1752f109fef5c464bd80be24
-
Filesize
864B
MD53c032b4ec6c5c12c97c6a3c278033f84
SHA13bf2cd6eac26775ea4fc016593693361f8db9873
SHA256d2e5928a7374552e12ad72e20d91e800948ab7209e8bf95bd6bd7d74d91eb632
SHA512266227183eb0a251a460fd54ea810812e0c8fb22c791fba655769dabc073b67b97b55930bdec41c9b1f9226373e6a5f28a412f951d18b4df039cf2565c0141f7
-
Filesize
864B
MD52bc8523b2476040793742798d4b7a5ec
SHA13c8550484ed41db0b0f4da402a77682853b35187
SHA256314a3622f981cef793dc89bd630fff353434e787167dab561d70b621613c8cd1
SHA512e78f414813abef6cbe4a83b8a4ac090446ea176eb8ed20ce59827f095e1e3ec2c5a917cfc53caf6ce7dd1721d16a3ef5143579282c8c867f1788ef95b3ed13f7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD555df054b01c52f60a64b34590d5d3a98
SHA13aa119f8f50a641b3ac34c372246d0a70f387bba
SHA256e015e08e7aa95e1c969ddbeb350655d8375c25d98cbb63d61b49b7b3a6d75eb7
SHA512bc4ef81df5765788aad1098986958b8b93d49f1b905e02014cd38c128430e548e0e8d21222588799033a624e2ad708e06d58a05083f8fd88a4d748b633888e15
-
Filesize
10KB
MD5005cf1b4529e27bd970ecc1703a7d126
SHA1eaf198e495126ab76127e4eff2bc9b0f5588554b
SHA256c263f64444a19cfdca7ce8fca7b587aeb2a5ebfc489a1836b8a61d18ca05944d
SHA512d30e39fa58ef1e6e7c9122f6cfe1f806eae69bfac1aac3474a6ef92d0bd94609ac0059c9c41ef13f7c22ba9c69055f60f393632c76180e7224ebd44ad1147f29
-
Filesize
532KB
MD500add4a97311b2b8b6264674335caab6
SHA13688de985909cc9f9fa6e0a4f2e43d986fe6d0ec
SHA256812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f
SHA512aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70