floxif | 3af54f7717af6e84b5ad31d48c6a72469756c09fae5622a870b275ccdcca0c89

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Size

7.0MB
MD5

7aedfcbb067ff5dedce3e2c6aa2b3920
SHA1

d42eabedb42630c2c767e2a9a644cd67598b2ab0
SHA256

3af54f7717af6e84b5ad31d48c6a72469756c09fae5622a870b275ccdcca0c89
SHA512

8c69055439309ffd504e5d630db052de3af7332d780fcc39f156d270ff9915dc442fafa03f6c11c95480f733ce50b51b29807c4942d7360e91509b28240c675b
SSDEEP

98304:AMijE7ais2MOPzNP1vPCrN18OIiHEaTUNXSRPvj6YLQhvJ8fhlH2vef9IvZd:F57aizPzNPBarN/IOUNXqdCmf2Td

Score

10^/10

floxif backdoor discovery persistence phishing privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000c000000023b24-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
A potential corporate email address has been identified in the URL: cookieconsent@3
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b24-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b24-1.dat	upx
behavioral2/memory/544-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/544-87-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/544-88-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/544-120-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/544-203-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/544-255-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe\" \"%1\""	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell\open	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\DefaultIcon	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe,0"	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\command	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell\open	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe,0"	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe,0"	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\ = "XnView Image"	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell\open\command	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe\" \"%1\""	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe,0"	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe,0"	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell\open\command	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe\" \"%1\""	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\DefaultIcon	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe\" \"%1\""	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\DefaultIcon	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\command	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
1632	msedge.exe
1632	msedge.exe
4620	msedge.exe
4620	msedge.exe
2396	identity_helper.exe
2396	identity_helper.exe
544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 4620	544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe	90
PID 544 wrote to memory of 4620	544	2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe	90
PID 4620 wrote to memory of 3268	4620	msedge.exe	91
PID 4620 wrote to memory of 3268	4620	msedge.exe	91
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 3040	4620	msedge.exe	92
PID 4620 wrote to memory of 1632	4620	msedge.exe	93
PID 4620 wrote to memory of 1632	4620	msedge.exe	93
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94
PID 4620 wrote to memory of 208	4620	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_7aedfcbb067ff5dedce3e2c6aa2b3920_bkransomware_floxif_hijackloader.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.xnview.com/update.php?app=0&lang=en&version=2.51.5&nversion=2.52.0&os=0&t=1734569116&key=515ba1dce7ddd76c03dfd5b48fa6c0d7
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff706746f8,0x7fff70674708,0x7fff70674718
    3⤵
    PID:3268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:3040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
    3⤵
    PID:208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:3968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:2072
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
    3⤵
    PID:4268
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
    3⤵
    PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
    3⤵
    PID:4136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
    3⤵
    PID:2348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9586086975546272625,10889613966610699533,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4128 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0A6019F9ECCCD0887B71E88EB8D50A8D

Filesize
504B

MD5
34df2f547832ed2b375636481b87f6ae

SHA1
0662cacbc152b9f2a7673ecde98922be3690f0c8

SHA256
f1888abfd00ee715ba92125215e7d1a4e94392f02afc88b07f191cfabf2c8c4c

SHA512
3b43943cfd490d60a8aad9f582667b14eb4c54de936ef97341adde276365cfb250b3d18415954c6d12ea9e6a88f2fe8fee24b85a26505343ae81a04b265f27c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0A6019F9ECCCD0887B71E88EB8D50A8D

Filesize
546B

MD5
ef756ba3affca0939ee8de9f720886e8

SHA1
1659ad1d5a1b3ab1f1a50bf93b44690ef231ec99

SHA256
62bc531dddd9b0ad6f7d46ef506bcd720099cc684bb7951c661ea1deaa53ad23

SHA512
76027b0954f7c118b5755aa4022d52277f3bca697588b917b024dbb1773a4b366685c975428306c2ab091fac790c0cc3c43c537b1df8cdc08a6a7f3447cd7a83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
3743440ef668a3f62ac9d99aeb352bb4

SHA1
52db5231f32418172d064c8fd6b5387c29402bd9

SHA256
2f3c7334bd12d243d2a979c4dbdb2eac66503fc75eb8781a6c9f25bcc5312487

SHA512
b6d8ff31b62c0b0ba7de08ec39fd233d4b277fbdf447c9a81a428a30fb74e7553ccaae1f7717a21e38709a64d9564bbb71ae700bd14aaf473efb6533b3c99c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
c01a48a46cea18416731deacd3c4efb1

SHA1
0428ed6b961744b19d88d3caee5dfe0d0fe7f9d6

SHA256
a7d9bf1b2aa9f6bdef13d6ccf52d83c2a92a261e5bcf6bb6fa74e72213c8b5dd

SHA512
d434799ee3dc34961842b8e851e5e9514b767a99836487710f660eeb68dc9e5a8c90c4864e5de450a3ef8bbd221a28734965551cf632c82b856b1f44ba3f467c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6a5c00d2ccc82f62b86540aab14ae77b

SHA1
1cb93ce2dc6bded0a831b13d3c58587e0f686dd8

SHA256
d3b280a6445390f5c1a67b5fb64439b15874a681880054627a7a51033f91a28d

SHA512
7a86aa478bd9921cb25c313cf9d06e9ee6304c3cea0d422bd72e00bfc8053cefac1ee924d5cf615360962a0ff6414471a1966a8ece1c0237cd9cd12293fbaa1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1546e94406768c9076f7b4d203577efe

SHA1
2ee3a3fcc5f7d5d7ce0fc381af7216ba39b89637

SHA256
f9b0497e2ebaab76ebdacfdff4e56b8272cd2cec16f88559990efb5ecd266189

SHA512
1611fb290075a974eeefef5f06ffafba8595bacc209ca5cf77ca12112755a8099edd671d4a754bf2137956f103fe3e3970faf6e6c08369dc17497ea9e311eb38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c2b586e5-c836-4cbd-bf47-e6b7d7dccf2d.tmp

Filesize
1KB

MD5
53f95253ad42ccd2c990ad23a50e3925

SHA1
1e8edbd810c73c7ef0fc1ba5ec99dfe7f4724c62

SHA256
e9b1041b1c1a3308e0b63bbde039df9081d52eeb9ead7596a2dcce59f09e8954

SHA512
266ad9bbe2a4ac895395318cf78406ece80567d8f99bab4a6deb672114d6809cd053e38bcfb8eb8c9db434efd407c44f62baac1c24a97a6163a1b42cfbe5771c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4bf79f261abc11fedace616e8b9088ab

SHA1
4cf21daa8dfff7d585d62b9e7d08bb7d0873a5e0

SHA256
472b4f47243e1865e66a772a9b674807230c63a689b7bcb25a1cb24b23d988b8

SHA512
4d07019981b1fd8754cd4c7eade01797905abc3e2cb38affe274888b29de0491d1c20d50252ae5ba177a803ff8b1ccce37e6e68f3206e9a9b20162042d0b123a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\947F394220.tmp

Filesize
6.9MB

MD5
2ac56f040b6ca5ee8b124f3afb773dd3

SHA1
49b83faa242a9644f5c04a439f467be873abd54c

SHA256
02cb7f4ab472d127f072de2b20a288ae360930ae5752e560069ea9b80e4ef6df

SHA512
ec45813512be024a8df7d170391d0b5564aa23db53bbafb82e4a21b5485115dddab63fb1674d40ed5870887f27347bb296b0a1bb4e438817676093e8ac5334e2

Download Submit
C:\Users\Admin\Desktop\XnView.lnk

Filesize
1KB

MD5
d51537f635cec69fa97ab7d55e07c2d8

SHA1
5f1d467e481af64c21d939cf488027aa385e67b1

SHA256
f2893d18a23030ec03b40b60cf12546efdac77f5275d650ebe6b22e2904a9b82

SHA512
643923bd2bc28afe9e8d0bbb6e93104267e4bf4d31faf0533d325c7fa31f542dcaf0bde925c43ed5f11fc51c747516e46dd65c81b82004ffa4d7af0aad421788

Download Submit
memory/544-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/544-87-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/544-88-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/544-203-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/544-86-0x0000000000800000-0x0000000000F2F000-memory.dmp

Filesize
7.2MB

Download
memory/544-119-0x0000000000800000-0x0000000000F2F000-memory.dmp

Filesize
7.2MB

Download
memory/544-255-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/544-120-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download