floxif | 68f37e5e4fa62f7b37e2c0d3397a8eaf010b1bf99dc955166c067cf0efebd7a5

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/01/2025, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe
Size

26.9MB
MD5

8d7d56e290266a313874b9f9efca4573
SHA1

4bf0343454ed6b091cd125a1054eed8e542eab79
SHA256

68f37e5e4fa62f7b37e2c0d3397a8eaf010b1bf99dc955166c067cf0efebd7a5
SHA512

e43956e5fcb4c4b317dbe4b260f8691682358c0b5c3dd2903549e19dd54f3413b7bcb3e44a9b6d92425d769f78f8d496c7a425914a5275aba4a93a6c1df34838
SSDEEP

786432:JR+SCntaUfOGhTwRoZJOH+vm2vgYCiY5SIiRf:JR+LnNOG5Jn6YCi79f

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0007000000012117-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000012117-1.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
2916	InstallationPathWriter.exe
3036	SWMAgent.exe
1532	sAgentSetup.exe

Loads dropped DLL 31 IoCs

pid	Process
2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe
2928	MsiExec.exe
2928	MsiExec.exe
2980	MsiExec.exe
2980	MsiExec.exe
1740	MsiExec.exe
1740	MsiExec.exe
1740	MsiExec.exe
1740	MsiExec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2596	msiexec.exe
2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
3	2596	msiexec.exe
5	2596	msiexec.exe
9	2596	msiexec.exe
11	2596	msiexec.exe
14	2596	msiexec.exe
17	2384	msiexec.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\e:	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012117-1.dat	upx
behavioral1/memory/2232-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2232-212-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2232-360-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_RUM.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_VIE.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_GRE.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_UZB.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\SWM_ChangeShortcutToChinese.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_DAN.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SCC.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_HIN.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_POL.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_UZB.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_MAY.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_FRE.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_FAR.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_UKR.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\sManager.lang	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_GER.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\sManager.ico	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_NOR.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_HUN.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_BUL.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SCC.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_ENG.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_THA.chm	msiexec.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_CZE.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_AZE.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_TUR.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SLV.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\SWMSetupCustomAction.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_CHT-TW.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_RUS.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\SecSWMgrGuide.exe	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\sManager.exe	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SWE.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_KOR.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\License.txt	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_HIN.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_FIN.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SPA.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\SWMSetupCustomAction.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_RUM.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_VIE.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SLO.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_POL.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_HUN.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_BUL.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SLO.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_KAZ.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SLV.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\SWM_ChangeShortcutToChinese.exe	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_JPN.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\sManager.ico	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_JPN.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_POR.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_MAY.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_GRE.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_DUT.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_GER.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_CZE.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_POR.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SCR.chm	msiexec.exe
File created	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_CHS.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_BRA.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SWE.chm	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f771584.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{0119B3FC-1945-40CB-B800-4650D842B5A8}\_CB86965994743466168D23.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f771585.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI18DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CA5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{0119B3FC-1945-40CB-B800-4650D842B5A8}\_853F67D554F05449430E7E.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f771585.ipi	msiexec.exe
File created	C:\Windows\Installer\f771587.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f771584.msi	msiexec.exe
File created	C:\Windows\Installer\{0119B3FC-1945-40CB-B800-4650D842B5A8}\_853F67D554F05449430E7E.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{0119B3FC-1945-40CB-B800-4650D842B5A8}\_CB86965994743466168D23.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sAgentSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWMAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
2792	taskkill.exe
2092	taskkill.exe
2244	taskkill.exe
2404	taskkill.exe
2780	taskkill.exe
2708	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CF3B91105491BC048B0064058D245B8A\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BF3805105D8948C4D93B598B404C92A9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\Version = "33685566"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\SourceList\PackageName = "sManagerSetup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Samsung\\SWUpdate\\Setup\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\ProductName = "Samsung Update"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\PackageCode = "ECED27BB0246EE14EB277654BB565B9A"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\SourceList\Net\1 = "C:\\ProgramData\\Samsung\\SWUpdate\\Setup\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CF3B91105491BC048B0064058D245B8A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BF3805105D8948C4D93B598B404C92A9\CF3B91105491BC048B0064058D245B8A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF3B91105491BC048B0064058D245B8A\ProductIcon = "C:\\Windows\\Installer\\{0119B3FC-1945-40CB-B800-4650D842B5A8}\\_853F67D554F05449430E7E.exe"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe
2384	msiexec.exe
2384	msiexec.exe
1740	MsiExec.exe
1740	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeShutdownPrivilege	2596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2596	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeSecurityPrivilege	2384	msiexec.exe
Token: SeCreateTokenPrivilege	2596	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2596	msiexec.exe
Token: SeLockMemoryPrivilege	2596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2596	msiexec.exe
Token: SeMachineAccountPrivilege	2596	msiexec.exe
Token: SeTcbPrivilege	2596	msiexec.exe
Token: SeSecurityPrivilege	2596	msiexec.exe
Token: SeTakeOwnershipPrivilege	2596	msiexec.exe
Token: SeLoadDriverPrivilege	2596	msiexec.exe
Token: SeSystemProfilePrivilege	2596	msiexec.exe
Token: SeSystemtimePrivilege	2596	msiexec.exe
Token: SeProfSingleProcessPrivilege	2596	msiexec.exe
Token: SeIncBasePriorityPrivilege	2596	msiexec.exe
Token: SeCreatePagefilePrivilege	2596	msiexec.exe
Token: SeCreatePermanentPrivilege	2596	msiexec.exe
Token: SeBackupPrivilege	2596	msiexec.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeShutdownPrivilege	2596	msiexec.exe
Token: SeDebugPrivilege	2596	msiexec.exe
Token: SeAuditPrivilege	2596	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2596	msiexec.exe
Token: SeChangeNotifyPrivilege	2596	msiexec.exe
Token: SeRemoteShutdownPrivilege	2596	msiexec.exe
Token: SeUndockPrivilege	2596	msiexec.exe
Token: SeSyncAgentPrivilege	2596	msiexec.exe
Token: SeEnableDelegationPrivilege	2596	msiexec.exe
Token: SeManageVolumePrivilege	2596	msiexec.exe
Token: SeImpersonatePrivilege	2596	msiexec.exe
Token: SeCreateGlobalPrivilege	2596	msiexec.exe
Token: SeCreateTokenPrivilege	2596	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2596	msiexec.exe
Token: SeLockMemoryPrivilege	2596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2596	msiexec.exe
Token: SeMachineAccountPrivilege	2596	msiexec.exe
Token: SeTcbPrivilege	2596	msiexec.exe
Token: SeSecurityPrivilege	2596	msiexec.exe
Token: SeTakeOwnershipPrivilege	2596	msiexec.exe
Token: SeLoadDriverPrivilege	2596	msiexec.exe
Token: SeSystemProfilePrivilege	2596	msiexec.exe
Token: SeSystemtimePrivilege	2596	msiexec.exe
Token: SeProfSingleProcessPrivilege	2596	msiexec.exe
Token: SeIncBasePriorityPrivilege	2596	msiexec.exe
Token: SeCreatePagefilePrivilege	2596	msiexec.exe
Token: SeCreatePermanentPrivilege	2596	msiexec.exe
Token: SeBackupPrivilege	2596	msiexec.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeShutdownPrivilege	2596	msiexec.exe
Token: SeDebugPrivilege	2596	msiexec.exe
Token: SeAuditPrivilege	2596	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2596	msiexec.exe
Token: SeChangeNotifyPrivilege	2596	msiexec.exe
Token: SeRemoteShutdownPrivilege	2596	msiexec.exe
Token: SeUndockPrivilege	2596	msiexec.exe
Token: SeSyncAgentPrivilege	2596	msiexec.exe
Token: SeEnableDelegationPrivilege	2596	msiexec.exe
Token: SeManageVolumePrivilege	2596	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2596	msiexec.exe
2596	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2780	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	30
PID 2232 wrote to memory of 2780	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	30
PID 2232 wrote to memory of 2780	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	30
PID 2232 wrote to memory of 2780	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	30
PID 2232 wrote to memory of 2708	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	32
PID 2232 wrote to memory of 2708	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	32
PID 2232 wrote to memory of 2708	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	32
PID 2232 wrote to memory of 2708	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	32
PID 2232 wrote to memory of 2596	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	35
PID 2232 wrote to memory of 2596	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	35
PID 2232 wrote to memory of 2596	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	35
PID 2232 wrote to memory of 2596	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	35
PID 2232 wrote to memory of 2596	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	35
PID 2232 wrote to memory of 2596	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	35
PID 2232 wrote to memory of 2596	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	35
PID 2384 wrote to memory of 2928	2384	msiexec.exe	37
PID 2384 wrote to memory of 2928	2384	msiexec.exe	37
PID 2384 wrote to memory of 2928	2384	msiexec.exe	37
PID 2384 wrote to memory of 2928	2384	msiexec.exe	37
PID 2384 wrote to memory of 2928	2384	msiexec.exe	37
PID 2384 wrote to memory of 2928	2384	msiexec.exe	37
PID 2384 wrote to memory of 2928	2384	msiexec.exe	37
PID 2384 wrote to memory of 2980	2384	msiexec.exe	42
PID 2384 wrote to memory of 2980	2384	msiexec.exe	42
PID 2384 wrote to memory of 2980	2384	msiexec.exe	42
PID 2384 wrote to memory of 2980	2384	msiexec.exe	42
PID 2384 wrote to memory of 2980	2384	msiexec.exe	42
PID 2384 wrote to memory of 2980	2384	msiexec.exe	42
PID 2384 wrote to memory of 2980	2384	msiexec.exe	42
PID 2384 wrote to memory of 1740	2384	msiexec.exe	43
PID 2384 wrote to memory of 1740	2384	msiexec.exe	43
PID 2384 wrote to memory of 1740	2384	msiexec.exe	43
PID 2384 wrote to memory of 1740	2384	msiexec.exe	43
PID 2384 wrote to memory of 1740	2384	msiexec.exe	43
PID 2384 wrote to memory of 1740	2384	msiexec.exe	43
PID 2384 wrote to memory of 1740	2384	msiexec.exe	43
PID 1740 wrote to memory of 2792	1740	MsiExec.exe	44
PID 1740 wrote to memory of 2792	1740	MsiExec.exe	44
PID 1740 wrote to memory of 2792	1740	MsiExec.exe	44
PID 1740 wrote to memory of 2792	1740	MsiExec.exe	44
PID 1740 wrote to memory of 2092	1740	MsiExec.exe	46
PID 1740 wrote to memory of 2092	1740	MsiExec.exe	46
PID 1740 wrote to memory of 2092	1740	MsiExec.exe	46
PID 1740 wrote to memory of 2092	1740	MsiExec.exe	46
PID 1740 wrote to memory of 2244	1740	MsiExec.exe	47
PID 1740 wrote to memory of 2244	1740	MsiExec.exe	47
PID 1740 wrote to memory of 2244	1740	MsiExec.exe	47
PID 1740 wrote to memory of 2244	1740	MsiExec.exe	47
PID 1740 wrote to memory of 2404	1740	MsiExec.exe	49
PID 1740 wrote to memory of 2404	1740	MsiExec.exe	49
PID 1740 wrote to memory of 2404	1740	MsiExec.exe	49
PID 1740 wrote to memory of 2404	1740	MsiExec.exe	49
PID 1740 wrote to memory of 1704	1740	MsiExec.exe	52
PID 1740 wrote to memory of 1704	1740	MsiExec.exe	52
PID 1740 wrote to memory of 1704	1740	MsiExec.exe	52
PID 1740 wrote to memory of 1704	1740	MsiExec.exe	52
PID 1740 wrote to memory of 2916	1740	MsiExec.exe	53
PID 1740 wrote to memory of 2916	1740	MsiExec.exe	53
PID 1740 wrote to memory of 2916	1740	MsiExec.exe	53
PID 1740 wrote to memory of 2916	1740	MsiExec.exe	53
PID 1740 wrote to memory of 2916	1740	MsiExec.exe	53
PID 1740 wrote to memory of 2916	1740	MsiExec.exe	53
PID 1740 wrote to memory of 2916	1740	MsiExec.exe	53
PID 2232 wrote to memory of 1532	2232	2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-10_8d7d56e290266a313874b9f9efca4573_bkransomware_floxif.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM sManager.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SWMAgent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i sManagerSetup.msi /norestart
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2596
- C:\ProgramData\Samsung\SWUpdate\Setup\sAgentSetup.exe
  sAgentSetup.exe /OEMINSTALL
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1532

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9D04DC0246E27BBB2567D8128462791 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24DB47CE5E29A3A8C9159B86DD9F1738
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C9CB68515DE53ADE9C4EB5FCF71F854 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /F /IM SWMAgent.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2792
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /F /IM SWMFileDownloadUtil.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2092
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /F /IM SWUInterfaceLauncher.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2244
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /F /IM SWMLauncher.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2404
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /delete /tn "SWUpdateAgent" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
- - C:\Program Files (x86)\Samsung\SW Update\InstallationPathWriter.exe
    "C:\Program Files (x86)\Samsung\SW Update\InstallationPathWriter.exe" -task="write" -id="20000" -name="sManager.exe"
    3⤵
    - Executes dropped EXE
    PID:2916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:900

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000318" "00000000000005BC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1664

C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe
"C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe" /SERVICE
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771586.rbs

Filesize
20KB

MD5
7a6cfac70b2946d12753ab1e151da10b

SHA1
0241ea6d734b2ce02609eaca1b7a36d078717643

SHA256
ba10f7537a521801df0bbf46dc274d81fe15f58936d744c4c36eab9a74a0c77b

SHA512
923db14a3c33f860e3d2c0f4d5e8bf213e2fa6da6e126c516412f7859c36ebb7fb57673b3c4d17248b32b024659c8d7d228d8c7c2f6937db5565eb29e33eb325

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_CHT-HK.chm

Filesize
12KB

MD5
03544bf81c3aaa2adcccb7a1ae0c76bf

SHA1
bc80ab03b78cd2202f2e653330c8b3dd0a4adad2

SHA256
43934c228d8911033336f67b3000700e001b6602a2c02c1fe440a1108f183605

SHA512
6d70d2c264bdcaa1b6a82be9f43d886ff010c61e87868659d7457502475602ea3dcafc93ce9ee2d30ae91ff9ec82fb986be4577928e14bd60e8d40b66f332600

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_CZE.chm

Filesize
12KB

MD5
3c5162a1115c57b66ae6c9b20bcb7418

SHA1
5541851e393f41327634a8d1246e642d79091b19

SHA256
89ffa2573caadca618457b8304f5576cbcdc798d5a7639414137c0ae64607d3a

SHA512
c300c6b6ab45fbde33025d4dc0029d593816f30feeecac5dae18bd5fb05650352c11097ab93bc31831c5d464c3cb35c1ef5b4b0758c141ebfe9c8d73e5ce998b

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_DUT.chm

Filesize
12KB

MD5
f1e3392dea3ffa56fe92a6c2ee27c3d0

SHA1
c9a63e3babc0e34843f0244511fbfee5637a96c1

SHA256
d57584717b1d12968cdf165858852f36c3b26e6bb605d247f09d32739356805a

SHA512
25d23f7023966ffdebf4d79e65cfa6a27b0380641f4c1fc48f25e82bc296edabce854d1ee24a961849c20ad51f84181f722a4daabe09136e8f91b34228a485e4

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_FIN.chm

Filesize
12KB

MD5
e9f9020f9a6c79a2e8c265cdeb5a024e

SHA1
59c6d9f1a833c9aa1d0a0d876f273e305b217777

SHA256
29a11cb22438d1a0f0b67066f5615e9896ea481ec41e0847ea1446c30e8878d2

SHA512
b554bd728a01cbf3018c3a65addcb174974e6b6f8650432c643ae9cf9ad4b1e6298af356345a6cfb99b63d5f720b1907b3e9ae215601423b79471ada6cf5c466

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_FRE.chm

Filesize
12KB

MD5
2a765e66267f53c6ff8a3bffdc069f6c

SHA1
883993f9d24068edac04b6d638ecb036ec9132e4

SHA256
cc96740ae9e161323c0a873f75a0c90f5cafb371f5d270b5ff4011ce6014fe7d

SHA512
f97c69998552aa422d0de5addcedb68e840b02450b3327ce65a4702ed31c679a99df2c7ef6a1dddbd0978e88561c06581ed47e0c870e6047cec0de02de8095ad

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_GER.chm

Filesize
12KB

MD5
710431b364edd8ddd4305e898c4a7c14

SHA1
5497e3a79dcc5efd7548aa3c51b1a9f41ecb6c5d

SHA256
4a1250f21c6645e71341c41d07372c84332733f76553c55acf8fa96651a6d719

SHA512
d2df6b1d6aaa0b0507b5d96324261ee217c4ffa35b8c572c89ec293a9565c2b1f95f777bc0375565954d2dcfb1596fc5261f62cde703ab8ec381f649ec5ffc34

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_GRE.chm

Filesize
13KB

MD5
10b1bed1205fdbb945b8b0aac22deb60

SHA1
19482e6ba4df50b562fc3a4b76b693453a6121e2

SHA256
a1c33f3290105ccd733b0da45b0e2683b5ac7f70b6b1b811e22b453b5623a26a

SHA512
ae1eb1ab76116d417165b07a82ba939ec2141a2a134c87a6fd481b3efdcf01177a133b68b4a89fe4fe90e93d54a82bc6156ab0903ca5e61772c2e6dd9bf02b20

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_ITA.chm

Filesize
12KB

MD5
9f2ca3154a8ea91071b9a46c0aea4c1d

SHA1
babb64a1e950d4a054e2ffd0341cc95e4d9b3e53

SHA256
f3ca54e15d56f337376c4c1a6ddf9d58709ebcb11511c9bde90fecca42dd4fbd

SHA512
72f0b0eabb7faa0b5f6ac9ae3b54212649fec4fd693939187be2c082b752166cf698873e204db858ca1ebd1024dfc85fde1b870cf1eb0928e12e768d69f989ff

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_NOR.chm

Filesize
12KB

MD5
96eecca90564af257cd656c136ff9e7b

SHA1
9f09f61d964d3049390ed9f5e91f6b3144e0d3a5

SHA256
bde1c85416cf46ce12e45ada973382b48a5a210692a9dda3354df586537f41fc

SHA512
0e1f387a7b84119b28da15912fce45800bfc409672abd3e444931839cd929a2f8b5d1d6f59f1f4531ad929a80662f0d771260a2f6466af6e1214070a60d7c1d6

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_POL.chm

Filesize
12KB

MD5
42bc73c076c7c32a7b21febdc4608075

SHA1
386b838e5b76df2dcb620873e40873c50ff6f68b

SHA256
a5a2ee74b57e0ceaf5ee9f980b5c0962a784d246bdd004b33b315d7d30096ec7

SHA512
a2f43784fbbd0ab0c98a30429ea68c76b989e24852d5bf44b2d99ddf6b960a70eafda211dbdeb4208ed0e83a45da2e108dbd0a66ee886a183901e7e496b22f96

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_RUS.chm

Filesize
12KB

MD5
81b75e63131b1b69bd22affabedd6ee2

SHA1
446efc3ee0183175f1f9e49f7f079dd87a406617

SHA256
8dd28725c67075ae1c2d41406343bd5777a644b2b826831d0b8eb489369a288b

SHA512
8b264180454cff29c99334bb680ebd7620f87dfad851db0c8db9d347dfcb822c9c9dbe878aeeddc9daf6aebac65e89ba0c54917efc094b811f76ac153a97957b

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SLV.chm

Filesize
12KB

MD5
38e0cc1e160cf4a0c70b404351719644

SHA1
ed12b1f084974116fb829561a6fc9b1e184b9c35

SHA256
d28d5e3f3bd15a36af501fe580e3bf159039935fab9644d060e1af616736aa44

SHA512
f1e51f010f4d393c922a517bde97f5dc85b7f53937f7b8530e3ac7299874800a138a284413e2f6d93800a9ee45d28971468c77174aa521b8e18567bd2f28bd71

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_SPA.chm

Filesize
12KB

MD5
a5c2183747be4a6cfba2c1359f4d7299

SHA1
0033c5073f7d3d4704b1d86175faea756aceb380

SHA256
adf78f2ae5ae0d8eeaf8b4cf1c558ce8190dde3198e1e718102d98797acd2f55

SHA512
fbd5e10ab22b2ee9b0c7840a553fd28944a3a3a9d202a1b9dfb204c352fb5334f58601fb908c29b80293f874529bf2f9fa6ea38d31948e3afea2b96318564e5a

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_TUR.chm

Filesize
12KB

MD5
aabf2533183d94d809586cfdd4f1624a

SHA1
a509bd048023344ef0209065203d0038b0b39532

SHA256
9ebeda2cffc1b3eb4ccfd4ccd0b26e725705405f94b5189ca758d5b18b62ceb3

SHA512
7bf880605d6513fc46ab09fe806be6f6cce51cf5500fe7839d69286c5781fddc925a8f985f0c5b9bb380db67e3cb525216c7b712a4eea82b192b1cec442ea4ca

Download Submit
C:\Program Files (x86)\Samsung\SW Update\Help\SW_Update_UZB.chm

Filesize
12KB

MD5
409772699f707ff40ab616eb091a143c

SHA1
e172c11214336c320f91a226e1d82ad12688b1b7

SHA256
ef4f4946f59708cfb39a95ddc94d3ecc65b188a0660e7f0d8268585ba8bfcce3

SHA512
e0d1926e6839cb44246b4705a40750ed371d6415ba28239c439b8a2d516ee628a2f720e764391ed2042659975356e90967c7074c0d532293dcad5b14f84e7298

Download Submit
C:\Program Files (x86)\Samsung\SW Update\SWMSetupCustomAction.dll

Filesize
1.8MB

MD5
257fabe2b8272978fc258a4acb6f57cf

SHA1
b106253ba47202b4532bcf12d383315fb27c8a36

SHA256
bfe25d7ca233d241baf296c456ed04fc1c7bbe98149e4de75ad13502b483fc9c

SHA512
7b816d35e7a4d05813a8667f29d1815920739c6cecf8ad225e793d694c239fea2e4c9fcced69bb3f13544fe4b8ce4fc8f9842a16c94e214db9c72d5d17f82d07

Download Submit
C:\Program Files (x86)\Samsung\SW Update\SWM_ChangeShortcutToChinese.exe

Filesize
1.9MB

MD5
b26ea7e253dfa6bbcfc9a85098119749

SHA1
ade4231b084dd8ad59b10c17c8a43726e869e2bb

SHA256
690157c4d62fdcf5f268f0edb04e4e39ab8dfa5e29e1770d48edac12a62e6e0c

SHA512
17e2696389960604b01153343fadc580ec01326ba97df6e7b8acec210d8eb55acd6d1fc3b0f93d4777e2747a0568b4f78e4d32b0bacfc617ef7938162c39e2d6

Download Submit
C:\Program Files (x86)\Samsung\SW Update\sManager.ico

Filesize
269KB

MD5
de8871fd5f27e83cb255da1ae3f84c01

SHA1
a4cb1157df8314e1d1f9b19c4c1d6298762b86a1

SHA256
b3b02831d15640c83efb7a20e045deacb55a0573609f7ffb18b50b2e7083cd89

SHA512
cda4a5bd25424bc62417f47a8942ee464f00cc9b80c32fbe54e188fc638f3963af7ddec83a9f82cd5bd9299c15668877bddf32a2bcf1d8940a974f5716398fdc

Download Submit
C:\ProgramData\Samsung\SW Update Service\License.txt

Filesize
50KB

MD5
006571f77bb55a73d2f9c63b25b87572

SHA1
b0857791fc8552bbb979cd7785584013d5bdc5b2

SHA256
9760f0ffaaae399a23bc81f8d6fa1daa97d48b811ef7eafbe0d14629521c06a3

SHA512
575044f65ed45e71daafc194d769034e5c5447621334107e57c1485a8e91f3731da251d50dda38f97026553e761f3a71efb1efb76f29aa0b9df7c6ab7767631b

Download Submit
C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe

Filesize
3.2MB

MD5
352b2cbd19510fea2eeb769683a4f5a9

SHA1
7356f47b351d4729fbe4db7b06be6ce8a3cdcdb1

SHA256
3380325b8f3b1f5b1ad70751fea88370694bc21bdae770de2bf627b49d483d0f

SHA512
286ce0c06054474ec21b780cc5cd2d8b440ed39ef337f2ed907d41509a8b86d487df717a732c16a6ff6ef9c1110e00ec2d8411e944fba86fbdd9d5ee1d0899c4

Download Submit
C:\ProgramData\Samsung\SW Update Service\SWMFileDownloadUtil.exe

Filesize
1.7MB

MD5
63ac8a30ed503b025316a61db955cb8d

SHA1
a9f8cf3fe05b968cf341f16728233293d551c67f

SHA256
063b1edf4a8426cad657fee9a383e1462ba5e5f99c9e80629c5d2874f9f8588f

SHA512
db2976615cb74c08dc8346874e891f6def1252acccf0c24cb6a737d54d861d76cfb5e6a4acc5c528585094bc7df0763b0d82b7b8b40c1f59607b8af62b9351ca

Download Submit
C:\ProgramData\Samsung\SW Update Service\SWMLauncher.exe

Filesize
25KB

MD5
320349e6a7680c4d1d923d19a9e23043

SHA1
bf0e7bc9c8b6290d34b1b4c8147153d63deac673

SHA256
0fe79e2856206e936424952dded3225925ef29b37b20c0d41adf5a5b18484c5b

SHA512
701ef6d153c2402a82ddc7a28f7f753416971ef3c8afca0b18bf3476a56f5ab3af29d506d5b96f190fe7a470f3423706d0d903544c739fde23480497eafcbd79

Download Submit
C:\ProgramData\Samsung\SW Update Service\SWUInterfaceLauncher.exe

Filesize
2.1MB

MD5
a0759ec98eb9c63fae02ceb6a7db841e

SHA1
c0442507fa2003761d1ad5f9ab66b8331745a5d0

SHA256
24ea5db08fd8bba96fc4258db8b54d2eebd473bf4f0064993a2b8885d8bc4863

SHA512
1cfd71fa3fa2e1a0fa13df5aa40e5fa13fba4a0983be03c553de064e99306370746e772862adfa2d4484ed194b9479510d419f245232fec6a47a1d3a2c9a1211

Download Submit
C:\ProgramData\Samsung\SW Update Service\SWUpdateIF.dll

Filesize
3.1MB

MD5
8d64a70b40993a415dc453d8f1d330f4

SHA1
d91c6fa3fc6609e602a81ada08282337234c67b1

SHA256
f90fafc6ce75d22e97896fa88ff661f93879a8476266ab7dee1e999f78624f4e

SHA512
aa11523369cd05c8214c87590ba2e5e79c5080f58cd6220a88449ef023d4fcfb70907d395bcc883fc22286a7adf0713073c4fd1a5a420e1c0cffb11f1f2e50b3

Download Submit
C:\ProgramData\Samsung\SW Update Service\ShortcutResource.dll

Filesize
1.8MB

MD5
3c73902fb6becfce8de94ee9c1591924

SHA1
b8659453c9cab414640a783992b3c10f0d57b99b

SHA256
89c5c8498468e86d80906dfede8abaf7c692aef0757337263f818b251b46f35e

SHA512
4dfeecc518cf2474cc0ebdd9dd268d7ec744e8bde594d1246ed08aa76762a502348398ba08e4ff1be32e4211c6f5d664b3435a2c1a7ec3fa505126573204f7ef

Download Submit
C:\ProgramData\Samsung\SW Update Service\sManager.lang

Filesize
1.5MB

MD5
1a75dfe2edc97d8efa1fea5a5d6cfb94

SHA1
93e254d7032a4e646111e1d15db8a3d8187e299f

SHA256
03003ab17a89c4fa9df8232ff272fd5b4104b6772efab936e6ff156a90557454

SHA512
76566ac48677e3deee3e59da14cabda55a5c960e9d38da4f6b3f8806f7bb8f9249f87ce1c4fe0fe0d430259b165a912113ba859972f0e5dcb3331be052fb63e7

Download Submit
C:\ProgramData\Samsung\SWUpdate\Setup\sManagerSetup.msi

Filesize
17.4MB

MD5
5865f6998f777b5049a4a77ccdc08637

SHA1
656bb805587ff840a4c306f7b672d41f3d16add9

SHA256
29081ec68088dfd952571f50c053ae9883b003744cf46585747f45a8b4eed014

SHA512
d2ef3f158297498241c6315f9ea3045a89509ab5e883cf4e6b2438f68e15490bc21b911df08fd899ee83770bee6a7609405b68e499f9f2e19f68796d654b1aa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
5cb16e48b582bf86a4b396fcbc235981

SHA1
3e7cbf189fbbff1efb9b04c398ceb902e816f15b

SHA256
ba479af493eeefdf7de4c86890f5d87886bc0bc92522d39dd09eb21f85cf23f9

SHA512
55210eb21fd974bb189063d4e377c37b2cf1c2e0d7ec056dee48f8619cfe04a7a8c1ba329abcfa7edb4785fac08375df4c8261e98dc3a8294f0f4fc29cf61eee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_C59BC91E99449F8BFBBBDD496CF022E4

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4

Filesize
92KB

MD5
7c35d9979088f78c0595385dc8067f67

SHA1
d47e7b8714d71f83718dfe56e330e28630853b3b

SHA256
8ffa5b11b1e2e2c59952608c604bda9ebc04253d2bdeaee3a860d841cb5a3f21

SHA512
f9c7ffa3a0ecbb4f9aea243c3f0bf70eb90b7e4731c8d5d30d0f5a81ec7fafae4a10978d7311bc5a34702dc2a325faa357a375616fd7cc2188e5678c06a00cbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
75fde63325a81453cebf324becfbbcac

SHA1
154b222ff19a8df02127887c55f7a8f93b2546dd

SHA256
e7ad44cfc6a67a880a6ea7f1a059e376ee54499b81d156a3837a513486b1088a

SHA512
fcfe9386537ddad9b7f653127129d318e5e143175f66fda782c442f77836ff755f216958a72afa78e1976a5491bc34de5b3adf1ef7b0d77a2e8177f47c90c645

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
924b0aaab2313817898d953074df5d78

SHA1
48bb2082403efe95e64a973627597c9c3301c5bd

SHA256
12b7df095216f419c173e7f7d5087d28cfc23ce5848cd39b9e94c6a4a0c54026

SHA512
9bc3aa96ac492435dd35cb29f14104c67c3eb50e4d28e0ed26856ecdcc2e0c9f8aabd4a2e6e497083c6630283924ed0ac4233ab67fb65fcc893277fda5709099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
2f75aa80da0821f93f17db9926f5ef82

SHA1
ca324333d9275b26efeefdb995993638cea4aac6

SHA256
9ae587509f257e98687fb41b38ed584bef4291f0aaa332cdaccb2f018d5e418d

SHA512
4d25ed5c2c168f6669687a5dfe534437bee48ace5ba7d3ec5b338737d1706f21308b4cc078bac3ac2ee7d0eb7583d8dd45e0f91d205e4bcb9dc49d5b4902c0c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_C59BC91E99449F8BFBBBDD496CF022E4

Filesize
418B

MD5
ec4b19cccb146ec3316e2ed2ca755d53

SHA1
d96d4904f0a01cfd2e9535181c1c65ccb8ace827

SHA256
4576eb595f236d884e9099ec456ec56756b5440835e7b5576f1435dd5c969edb

SHA512
29da6840f647d0e143b246ccf8e3c89dda90503aabc2926ffe3bfe6fb72cc4b625ecf17ef0b3c2f205d5ee88713617034282d8db0da4d8fca655858f63ec087e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4

Filesize
170B

MD5
548931c8a45264fa7c18ac8566cecdc3

SHA1
9c156e530e5864a4533d5d2e2e6ead9a036013ec

SHA256
1db260011f5a434beaeeeba7c5d370a4702f7abb8125187d3065c22a3228fcfb

SHA512
26de40f0b5d437d85abdf7de625a545ac8c600834128e71af165b0a1bec5132327384f4f7c14b37e577d926f86e60f436b652bf583049bdb21d3252edb524589

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF440.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF462.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Samsung\SW Update\InstallationPathWriter.exe

Filesize
75KB

MD5
e9fea2b6eec45d9bc0469706a8e8c4f8

SHA1
7dc4d6331f2158a0cf17d3c3a066ab17d8918884

SHA256
5a615f3fc99eba65f204b4e3fc612e980e2d2a8a49458c42d2b5a21d68a01f4f

SHA512
090af2d4a33146736ecdae722fd3cdcf2b4c4c835c08490f2403945043a69b23094cc7c141f7f047b7ce0151efc8c9801623bd26140b8cc3b1e4974492e96895

Download Submit
\Program Files (x86)\Samsung\SW Update\SetupLogCollector.exe

Filesize
1.8MB

MD5
7c418222b9e551f5fd27200228fd05a6

SHA1
1d554a9ba1ece48ce07aaef1c517037fc237008f

SHA256
e2c1ced6b0e465b22788375aa5185800f464e7f357fdabcc90c0ed9bbca7b2c6

SHA512
90d7381bd7d10bc2fc97a5232eda74575bfdfa752aeba38c2d5bf2ba4fafbfc07e0b580193f153766c67cb92140982cd2178dff360f502c1545d96cc9dc7ac79

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\MSIFA0E.tmp

Filesize
298KB

MD5
9945f10135a4c7214fa5605c21e5de9b

SHA1
3826fb627c67efd574a30448ea7f1e560b949c87

SHA256
9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

SHA512
f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

Download Submit
memory/2232-212-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2232-210-0x0000000000820000-0x0000000002304000-memory.dmp

Filesize
26.9MB

Download
memory/2232-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2232-360-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2232-358-0x0000000000820000-0x0000000002304000-memory.dmp

Filesize
26.9MB

Download