Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2024 12:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe
Resource
win7-20240903-en
General
-
Target
2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe
-
Size
14.4MB
-
MD5
55b322fb7b471824b829dbc851598f79
-
SHA1
3c2262c5415b05876845e1552ce014a565cf1c68
-
SHA256
9882d6299dbf72f54b9c4ebab591176f41c46d27a16009dc853ad8361931258f
-
SHA512
81246ab755237cd0ab453255c5a89ab49eb6180348b0d565f8dfb69b1acb7110beb303bcd63a57f4c124147090f36b097279bc1e411950e9114b123e679ade1a
-
SSDEEP
98304:8TDtQIZETGdOfW0+bs0ZmjBjcaw2lsuze/iBXsLVMZHvOyGCPvPZcDByQNdXCd0G:8Vt30t0u/Zk2eXCd0LWkVgeXSp
Malware Config
Signatures
-
Floxif family
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023c7f-1.dat floxif -
A potential corporate email address has been identified in the URL: [email protected]
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0008000000023c7f-1.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe -
resource yara_rule behavioral2/memory/3312-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/files/0x0008000000023c7f-1.dat upx behavioral2/memory/3312-49-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3312-78-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe File created \??\c:\program files\common files\system\symsrv.dll.000 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Toast.gom = "11000" 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f7e00000001000000080000000080c82b6886d7017f000000010000000c000000300a06082b060105050703031d000000010000001000000052135310639a10f77f886b229b9f7afc1400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab553000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d0020004700320000000f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa42000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe 5104 msedge.exe 5104 msedge.exe 4176 msedge.exe 4176 msedge.exe 4528 identity_helper.exe 4528 identity_helper.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe 4176 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3312 wrote to memory of 4176 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe 82 PID 3312 wrote to memory of 4176 3312 2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe 82 PID 4176 wrote to memory of 2292 4176 msedge.exe 83 PID 4176 wrote to memory of 2292 4176 msedge.exe 83 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 4120 4176 msedge.exe 84 PID 4176 wrote to memory of 5104 4176 msedge.exe 85 PID 4176 wrote to memory of 5104 4176 msedge.exe 85 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86 PID 4176 wrote to memory of 4208 4176 msedge.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-28_55b322fb7b471824b829dbc851598f79_bkransomware_floxif_hijackloader.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://playinfo.gomlab.com/ending_browser.gom?product=GOMPLAYER2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffc0c6c46f8,0x7ffc0c6c4708,0x7ffc0c6c47183⤵PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:23⤵PID:4120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:83⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:13⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:13⤵PID:3936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:13⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:13⤵PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:13⤵PID:3172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:83⤵PID:436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:13⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:13⤵PID:1896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:13⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:13⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17246558092727790307,2028035443726326955,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1896
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3640
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:992
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize912B
MD5f34a3193408ede8ac8322d9d8823772e
SHA16013ca8e7553be78cd1e437165f2f03bfe80c347
SHA2563743d33b25b3b76806befaae1037be51237668b73b38267cec964ddf12f4630c
SHA5125ace9e9abf48f9a346a622a564555f8b8ab418203fa71a599b1173551298f3ba2db437887fe440a8328ef768761d2a6ebf1edbc359b7809cb9d7e79f2f790e38
-
Filesize
4KB
MD547c75c0ba81621284f972835bfd18615
SHA10de44413caea3f92bb814db277bff4c578c342ba
SHA2562f0195d3ea3772e678d76769fc2065f91f333f84ce3239dc9c0a7493012b3cc8
SHA5123b87275f14da8082834a4a5baee7071d2e8d2ac35bebdc61d1d9877da93c0f1ae06f6bb49e6a84497a2903f89e798b5da1ef91b161c6a574fad1c007061e96f9
-
Filesize
5KB
MD516788db22d2dcb0455e67bc404c2a906
SHA1f702efa3140ecd8cda7dcf60340424d0cdb0cfea
SHA2560a1e5201d13204a6af72601bcf45b24e05f6759e7506da90b0bfda0c6bc5b219
SHA51272163c395aabd5f531330a0db3f0cfb6981ff158b153f25a91c2618bc75b6465d49fc8977080263d4036737a61911ef7746926304446f02698df35427e9b5fd0
-
Filesize
9KB
MD530e53b1f6d4e0e4dc6637979921c80bd
SHA1a6232e5ee066b1f4a6904f7f6088106f31a41fb2
SHA256f76a362d2d85174419c1ec9a740f15d54875c84ca20a525b76ffe5755e8c7528
SHA5122be484170e94f6a732f7c6cc322493de07ebca5b8fd70a6c127c0caab8dec24018a648a21b43f888bfb9790c30279d8d0e0353d3cec7f37d7f9dc47a4525776e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD576f38cc185ce261b3459e7cae2337237
SHA1e4ed35dc2abb87b8bb6b4bcb8ca4958044836f6f
SHA256bf7bcf6ad539008432ebde77bf1f7fb0510d98a46e6c00c817b11cd5f39b2f07
SHA512c39343ece12111673b51fbd89ad361c9cc36ae9ce37242c09801cace6233a28539b41d6e90dc4c942fc2947f82865f99c4ea3e1383d496129d9bd3b602e356d3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583c49.TMP
Filesize48B
MD58fc97914b891011d8928aa27dd6accf7
SHA19de8a53efad462fcaa6a2f4cabe795cfdac162e9
SHA256ed538f18a1c17af6ca31057cb3f26c09bbfc9f76d6c8b31aa8c3d5e4af560b4e
SHA5128e4ab440fe84d0d6b3fae32ecb7df9a213d8d94cf2c4447b9af62c98a9fb5d8cc8d060a636c117dd86b8b0ad538d580b6584f3b1296138b420a846e49b4a605a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD57da72885315a3e9d06d5776a85990efa
SHA1744121aead3dbab1493f40928e9c6926c88c440f
SHA256f205ad0efb876122d811b76ff668c47dbf4f0e407995ed1db220738e246356ce
SHA51285c972adc6a68d43cc6f15e69810804db3ab3aed530d2dc08f776c0e5ef2ba3bf74165e0d52c454b5bf7899a69eebfdca79dde9ab178ca752373cd394206c05f
-
Filesize
14.3MB
MD57740b91aa5877cd86117db93dc5b0426
SHA1b02a401b86aaa41768a15e4f027dccb812341fb7
SHA25644df3a987ad432ea7942d8923dd2a8e29f3204119274ace5b0c5181838557564
SHA51288890d8956872c8369ed2b3ede2349ae7021a770182dc3904f1ed983ae006355067d294abd0c5d77fc40c20cbad9e33e76bb29fd4d778f11079926bbc58e810f