floxif | 10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Size

9.5MB
MD5

e3608e7a912f566f13c9dd67dfbe21bb
SHA1

ce88fa72bd84dd9de23a6f35ea0bc9ffdac55d61
SHA256

10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89
SHA512

d06f060b4fe04d0535677f795fbc6c968184052e05b3d9c356ec10fc48a7536e1fa0ac17c5422e07434829e7b9acbb13fdafca0d614ab21009d55919c87d11a7
SSDEEP

196608:UFtWWfKfTYcr/Fqq+K4qpm9u+fUS/tseCt5ikPGfkpC6ARPkQ6Q:UFxfro/0q9vm9u+8S4TiXKC6ARPOQ

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000c000000023b21-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b21-2.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3300	sg.tmp
2324	사진 향상기.exe

Loads dropped DLL 3 IoCs

pid	Process
1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
2324	사진 향상기.exe
1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1516-0-0x0000000000400000-0x0000000000613000-memory.dmp	upx
behavioral2/memory/1516-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x000c000000023b21-2.dat	upx
behavioral2/memory/1516-183-0x0000000000400000-0x0000000000613000-memory.dmp	upx
behavioral2/memory/1516-200-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1516-233-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1516-257-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1516-316-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	사진 향상기.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	사진 향상기.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	사진 향상기.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
2636	msedge.exe
2636	msedge.exe
2864	msedge.exe
2864	msedge.exe
3224	msedge.exe
3224	msedge.exe
4792	identity_helper.exe
4792	identity_helper.exe
1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
5308	msedge.exe
5308	msedge.exe
5308	msedge.exe
5308	msedge.exe
1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: SeBackupPrivilege	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: SeRestorePrivilege	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: 33	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: SeIncBasePriorityPrivilege	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: SeCreateGlobalPrivilege	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: 33	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: SeIncBasePriorityPrivilege	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: 33	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: SeIncBasePriorityPrivilege	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: SeRestorePrivilege	3300	sg.tmp
Token: 35	3300	sg.tmp
Token: SeSecurityPrivilege	3300	sg.tmp
Token: SeSecurityPrivilege	3300	sg.tmp
Token: 33	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: SeIncBasePriorityPrivilege	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
Token: 33	2360	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2360	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2324	사진 향상기.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 3920	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe	84
PID 1516 wrote to memory of 3920	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe	84
PID 1516 wrote to memory of 3300	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe	86
PID 1516 wrote to memory of 3300	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe	86
PID 1516 wrote to memory of 3300	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe	86
PID 1516 wrote to memory of 2324	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe	88
PID 1516 wrote to memory of 2324	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe	88
PID 1516 wrote to memory of 2324	1516	10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe	88
PID 2324 wrote to memory of 3676	2324	사진 향상기.exe	90
PID 2324 wrote to memory of 3676	2324	사진 향상기.exe	90
PID 3676 wrote to memory of 1500	3676	msedge.exe	91
PID 3676 wrote to memory of 1500	3676	msedge.exe	91
PID 2324 wrote to memory of 3224	2324	사진 향상기.exe	92
PID 2324 wrote to memory of 3224	2324	사진 향상기.exe	92
PID 3224 wrote to memory of 1552	3224	msedge.exe	93
PID 3224 wrote to memory of 1552	3224	msedge.exe	93
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 4376	3224	msedge.exe	94
PID 3224 wrote to memory of 2636	3224	msedge.exe	95
PID 3224 wrote to memory of 2636	3224	msedge.exe	95
PID 3224 wrote to memory of 1732	3224	msedge.exe	96
PID 3224 wrote to memory of 1732	3224	msedge.exe	96
PID 3224 wrote to memory of 1732	3224	msedge.exe	96
PID 3224 wrote to memory of 1732	3224	msedge.exe	96
PID 3224 wrote to memory of 1732	3224	msedge.exe	96
PID 3224 wrote to memory of 1732	3224	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe
"C:\Users\Admin\AppData\Local\Temp\10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:3920
- C:\Users\Admin\AppData\Local\Temp\~5012917168046502632~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\10244a89f57b8142e2e151480d8d1bef82f9c14610cf8049d0e9c9b0470f0c89.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~3465998771454872872"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3300
- C:\Users\Admin\AppData\Local\Temp\~3465998771454872872\사진 향상기.exe
  "C:\Users\Admin\AppData\Local\Temp\~3465998771454872872\사진 향상기.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/hw1u05d1je2f4sh/HitPawPhotoEnhancerPortable.part1.rar/file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0f2346f8,0x7ffc0f234708,0x7ffc0f234718
      4⤵
      PID:1500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14418412116236391239,6982537694164675523,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:4364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14418412116236391239,6982537694164675523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/ft9afxswdxbxdvu/HitPawPhotoEnhancerPortable.part2.rar/file
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc0f2346f8,0x7ffc0f234708,0x7ffc0f234718
      4⤵
      PID:1552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
      4⤵
      PID:4376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
      4⤵
      PID:1732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
      4⤵
      PID:3068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
      4⤵
      PID:216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
      4⤵
      PID:876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
      4⤵
      PID:4052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
      4⤵
      PID:2584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
      4⤵
      PID:3556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2779947011639522068,11574370187146470863,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4236 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x324
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
57f8a0eb93d32ee1769d0dd65ea4b8b8

SHA1
84f5a2d15a30b8dd9f3067745d9a6c6143617deb

SHA256
0a6bddbe263bbf601f38bd47149cfd6df5f256b414c95dbe555d1981226b16f0

SHA512
f06303c66cf2df04af5862b1ed2401f1d9c4e2614a018331ac767ca5dc6aabb8b3f5d7c97be6b9fdcad1d6d272ca6340ad84a7dec1f8792aee2f0cab29daaa4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5063310ad0e044368a5d4fc059328184

SHA1
b517308773f6f19393bbd5471efed3e79df2aa63

SHA256
fa059a7245cffa379f0ebd959933625b3fea4cd1e5a90960f2c4cbe105199ffe

SHA512
5fc22e1b93ee5defa7cc4ca4f957e3d61d122cd6749bdb5c8a852acf8b24820e5dd13e9ddeb7983d36cb9c7176b82b36ebac99d1553796e80f3edb8acc582c05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
506b51167f81990617ca9310b5b71e30

SHA1
9665d1628f98de3278b2013e781e7bb49ef4d712

SHA256
b0f4c4e9453bfdd43b0b6661042c733d0675dd566fc88c32043903b099bdfcfc

SHA512
a547f01cb88b68198613f25499ca07647ccc4c2b3ba90a02ec24a3deea21008c393dbb5511d53404eac82466e97e67a75e1f8d3eac24e16e00d3feb80fe26662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3c143a9e05334a614685bfd01d39b192

SHA1
0652af72258200d7f2ac526f7cf0cf72e78b60c4

SHA256
c0c7095f786fb9c321ab53214763f696163c0c20e391c7125e132e498a08531d

SHA512
e790ddd119b7241235cc4c8ad6330595f7f9b2302193fbb0284a29770a299b012906c1fe7f1ca1bef146282721f42377be229dac720a1ea059548bf74182ae59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
cfaa1f5002b33a154e1f0eaafda2ad21

SHA1
c98b55e90949e706c2c5490b1f2e45d5241cb86e

SHA256
8f9941be58463457cdfbca00be9dfcccbc185452fad736bfd284293b726f308b

SHA512
1391ffd1af8e07acf1b41946e1c5d9e0c76415dbe701d896ccd8332e6011028984e01a1c578aab85a40ebe53d2f635bb674a92794bde772b54e70fed48305a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
62e072bdb7a04bc3829cc9700c5a407d

SHA1
936dadfcc845d71591ffd9e6dc5700ba3d0a7661

SHA256
866e876feb5be99db2a7e2cc31d1dcd8f94639d1f950a8079d067c21a766e810

SHA512
3efc73db014950b3071e7c309a08d6b27292e8114dcd691f74962e8243e2ff8ff1aad77d5d597c564695e9c10ea36ddb6a05a8ae794011c5f7ee31baa535c77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3465998771454872872\Helper.ocx

Filesize
5.4MB

MD5
a91c2acb7657c04a10e47ed8dc6b28bf

SHA1
d38713819eab61488abdd9cb4653b6a7ef313aa9

SHA256
545cf5f0f8e438913eb40d3b561610c6c5e9e1c696452bf0f5f91677c044beb5

SHA512
cd3ab9c48a7e15d68a1e0edb5c345a1f01596b19d769e993509f1d131ac5ac14db4ae485fc1089509e7057a4d27a2113d3e6b9bd8278ce07a1ff8472b755a554

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3465998771454872872\Helper.ocx.tmp

Filesize
5.5MB

MD5
e2c81711727bbeabc4a56ba205f9b996

SHA1
ce3a787874eeb4f234cc7868e97b0e28484feb49

SHA256
f8bce62d0ef37d839d1252b1c9c1246f1b873e4a925d52a7abde27828e0060ab

SHA512
755d5e03453fa0c854032640cea087f754949749acc0f8451e246772696f126315244b9b72bb935b064077cc703c7a73bbf683f856973ade4db100d41e361254

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3465998771454872872\사진 향상기.exe

Filesize
2.7MB

MD5
d314ca4312f571d1ab09d7b10953faea

SHA1
9a9dddd86e2802e7162ba6e1fc2bb8450e278cb7

SHA256
70fa2bce06db97c66d35e6983604c3d611a2d66d4bcaa99e880283b1a4994de3

SHA512
cee24f8f3c7a69fd36d20ed71af62d758a7b60a95212615701cf5e89d87dc6882566b9dd0819b5507a461f9428245490eb978cc8d6a31c79f629392b533e2379

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5012917168046502632~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/1516-316-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1516-257-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1516-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1516-0-0x0000000000400000-0x0000000000613000-memory.dmp

Filesize
2.1MB

Download
memory/1516-200-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1516-183-0x0000000000400000-0x0000000000613000-memory.dmp

Filesize
2.1MB

Download
memory/1516-233-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2324-277-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download
memory/2324-261-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download
memory/2324-23-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2324-202-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/2324-258-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download
memory/2324-209-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/2324-264-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download
memory/2324-210-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/2324-288-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download
memory/2324-24-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/2324-314-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download
memory/2324-201-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/2324-317-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download
memory/2324-320-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download
memory/2324-323-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download
memory/2324-326-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download
memory/2324-331-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download
memory/2324-336-0x0000000073E70000-0x00000000743FC000-memory.dmp

Filesize
5.5MB

Download