floxif | 98e17929bd89d7ec162b1ef16be8c101bdd6b50a4bc301be3e66f839e3c6ef18

Analysis

max time kernel
136s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
Size

12.4MB
MD5

4ba01fb6736d7eba31916e90603e7399
SHA1

e658379e9433f9de520bc52d2d2e4fb473434eee
SHA256

98e17929bd89d7ec162b1ef16be8c101bdd6b50a4bc301be3e66f839e3c6ef18
SHA512

0cadd43dec996186767b19f1d3c73f9ab5658fe71ed26d74438e5857c94a993f38cb928bf535680960359a4840da54952cf067e7e33885daa600db8d5fd1c54e
SSDEEP

98304:NrHqmH10K96SwYIctkdjDDAOfDQter0vobgKznixRuaa5lQTQYbMAiOWqfnPoR6V:NlEXYkda+fziq5lQQYbMAimgeXSg9

Score

10^/10

floxif backdoor discovery phishing trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000c000000023b33-1.dat	floxif

A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b33-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b33-1.dat	upx
behavioral2/memory/3564-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3564-47-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3564-80-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
1904	msedge.exe
1904	msedge.exe
3876	msedge.exe
3876	msedge.exe
4156	identity_helper.exe
4156	identity_helper.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 3876	3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe	90
PID 3564 wrote to memory of 3876	3564	2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe	90
PID 3876 wrote to memory of 3228	3876	msedge.exe	91
PID 3876 wrote to memory of 3228	3876	msedge.exe	91
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 3140	3876	msedge.exe	93
PID 3876 wrote to memory of 1904	3876	msedge.exe	94
PID 3876 wrote to memory of 1904	3876	msedge.exe	94
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95
PID 3876 wrote to memory of 376	3876	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_4ba01fb6736d7eba31916e90603e7399_bkransomware_floxif.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://playinfo.gomlab.com/ending_browser.gom?product=GOMPLAYER
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd426a46f8,0x7ffd426a4708,0x7ffd426a4718
    3⤵
    PID:3228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
    3⤵
    PID:376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:4668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:3248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
    3⤵
    PID:1680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
    3⤵
    PID:3724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
    3⤵
    PID:4768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
    3⤵
    PID:3060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
    3⤵
    PID:1264
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6796 /prefetch:8
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6796 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
    3⤵
    PID:4640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
    3⤵
    PID:612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,491578202319765803,8065967213551743956,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5896 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
1KB

MD5
2bbc71d5b80e2d78de46bd259e77a3d0

SHA1
531f5bf2955eb383fe109d03e5e568b54482b050

SHA256
18687af137c8d84279c47cc2c3a10ac2b240f5f392c1110c5f8465bff831f6a8

SHA512
52c4dff8188c6deb09549fc7edb5ba4bf3b47482001ae3f6aa6bbd94bcff246a3da5305de80a3fc7bcd128f95c82900999131c91e3e75b622aadcd087fcf6d63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
dfb13d664a8983d31bef895c6d6334d7

SHA1
d64c2b905d6989c277b70a100d7c14b53cbd4d8b

SHA256
441d150c0cddfdc92ae35120b08f86cb7305d4ffb5af5eab348a7c7b797cb8de

SHA512
34d8a43abd41f42d6a621749099979129a791fc53eb68195f007de417d7938859b30b0563849e3a2e119095a20ed5b4b6432887aa4e2a70d8acaad612ffc9b08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
434B

MD5
96c176efab9c094f088291d0f864fe2a

SHA1
11e0b18da1b8235518088d86b7062383124dea93

SHA256
4081fc456f7d16c5702d506b1288b2e86f3ddf5d7d66a6bb8c2843e498a63595

SHA512
e939c9505afa86274df4a302c3deff057e7fca8a38b2ba4d7ca098a3e15c3b964fe3f4b02f5f58d4d2579e027d0a82fbf758f586a4f648e465f34a5013a9ff60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
c81de867b75c68fc805cee34273c9866

SHA1
c63c213d69112141290c08101e4b1a519b2287d7

SHA256
c631368dba35bd4ba9bdd858ece942bd860e9a96510117dff29362ee7ae3e15b

SHA512
0df308588d1f35579861be0f813cc6b1dc49387e4e5433c1b525c688e4bdd2ffff3c375935ae50aaf2bf391ac630b881f70acd49bb3d0e63e2fa262a0486655d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
32163d1416d7b3fc10ca9e0a1a5baec7

SHA1
8a243fffed6e04d5005cfc1df013dfcc9d9b27ff

SHA256
2ef93698f028464dc18e6ce4c55b04de962763cd398cb3b0673472592a6b019f

SHA512
82a8775609de93e4803dcdbd6bf3b7562250b87a460f08c9e7b1a6ffff33ba4fcbe088837962cd299ec5901aac485c260ed70dbf5786371a6c96383ab82a19c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3b7f55508b7a108601f8ab4ad697438c

SHA1
131df7da48b442545c3c6ee8a8fff34c2e10fca3

SHA256
86a1e84deb96f36ce8a51e666ba99ada472024fc160c19cb5f324a22ba7a0bd1

SHA512
85e9a19d68ddba386281287661885aa3169c92fb938d88bdff7f1a3505b86a492b2b87d02bdc85a00ce7e9447c752ed922311b010cb89b53146e16c03ead0d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5e4b9587e54891f5a8a64e023518cc4a

SHA1
ea2721c7def44c11125d80a0e2779f0b865ddab7

SHA256
5a9f223def9cf1bb5d9194648cef332643df947736205dd67ffea923fa0a95af

SHA512
0b604c0bdfb6b19e40929acb3875763672eb531cd817cd81edecb9a4192de3139226d55eaea1096401ce4aa0e959dc5981e5017e69498cee792045206c21b230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
48cc6bb1677d8f20d9ed69da4f8460df

SHA1
85a728a451e42379079accd694a7f9d811a015e0

SHA256
fc1207b8dcd48c503698bbbf8feb89bee021eeca483446bf28e898e55420d553

SHA512
118dae6a8c585e6cf975210cdf9a5a14bfed7ff6dddc5e8cdda200f8eb0afc43a27c8b014b666fc8a3503d6de447ce0d6bd7fb1580cb8162c39462620c835abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2a3894b1cbecc4be029c6a29c2ae091c

SHA1
c20e1e9bb8d7a462995547ac0afa33b6b04ab501

SHA256
ef463a29aca1cb99abe17c50802df931665815b18f3a7378c1f35c8e1495f89b

SHA512
a40a027fcc80698073963a9d2debfb4c3912dba55818da604d3bae3b25459a327304b0704d3d497b5f0ad39c2682f8e3f512fa89f785a79c8a4dad69a181ec7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581a1b.TMP

Filesize
48B

MD5
40ed0a41fcef6e48c0d129b5ecdad66b

SHA1
b4f7ff0d12c87b9837d0dd6d98201c336d139cba

SHA256
d14cde67dde956f6fe38e619ef7717e95362da24310f05ba239850aecb894972

SHA512
cc492ab5780cca881d0554326917a0d3746dc9f90be588847ee94cdf08629a0974bdc622a82e319f3d67f201e37ba169af52d18c95324d6d2732665c57d47696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ae8feb43-980d-45a6-9078-e27e20049dc3.tmp

Filesize
8KB

MD5
3e08de81d255101e0904212a28888692

SHA1
e997b43beaa97c59fd496c32b9193e4c1f02cd50

SHA256
ceb337a0e0e95661add94aed64b983ad28bc895767546a001c6830b7c2d13309

SHA512
b373ec8c7186acd36a7a1bc23c4cd6038e9c351ab1ac10d420095fb5679b5f1690e96cb38e42017ca035fe88e461404160e8d255b479b40133223c32d19184c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c72b70bec5442f215ebc78debed90763

SHA1
ed39ef272fbd98838dfc7e3479d5d9f4809980ad

SHA256
d758f12dc5eb9cd02b8885f3bd2745c306dffc6db9a676649f4022ecc8d62681

SHA512
b606bcda49102f279ce5f8b3a7372cd4c2060a6691c547a54145729610dd90d9905375d86a092cd4272adab3d6f2ed852a5c5d4ef64b7bd092d387ee8bd6649c

Download Submit
memory/3564-78-0x00000000009D0000-0x0000000001645000-memory.dmp

Filesize
12.5MB

Download
memory/3564-80-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3564-45-0x00000000009D0000-0x0000000001645000-memory.dmp

Filesize
12.5MB

Download
memory/3564-47-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3564-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download