floxif | e7947f62c01f0fa2ef92bebe73a1ddc163eef89ec7ad231d7e13daf50914afa9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Size

6.8MB
MD5

089ba18e92ea40793fa952c00c8c6223
SHA1

354248b307863503a550eef99bb5a1166bd616b0
SHA256

e7947f62c01f0fa2ef92bebe73a1ddc163eef89ec7ad231d7e13daf50914afa9
SHA512

2f08f52f96a65864f340f307bf427fe676e5954017340c1fcfc62c6ea4d631bc49016a29921a52d6ad6d01ae78d66591954c4376ef71cb4935a263ec34fdc207
SSDEEP

98304:9kuJz1xn3h6i02uaYmGSGT17L6z6GO9Pcgv5nWfBY8C8fhlH2vef9Ivsb:9Jl3h6i02uaYnSGTF6c9PcuqYmf2Gb

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000c000000023b39-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b39-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b39-1.dat	upx
behavioral2/memory/4216-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4216-88-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4216-87-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4216-129-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4216-200-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4216-268-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe\" \"%1\""	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe\" \"%1\""	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\DefaultIcon	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\command	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe\" \"%1\""	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\command	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe\" \"%1\""	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\DefaultIcon	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell\open	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\DefaultIcon	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\ = "XnView Image"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell\open\command	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell\open\command	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe,0"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell\open	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe,0"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe,0"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe,0"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe,0"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
4820	msedge.exe
4820	msedge.exe
4608	msedge.exe
4608	msedge.exe
3436	identity_helper.exe
3436	identity_helper.exe
4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 4608	4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe	89
PID 4216 wrote to memory of 4608	4216	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe	89
PID 4608 wrote to memory of 4544	4608	msedge.exe	90
PID 4608 wrote to memory of 4544	4608	msedge.exe	90
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 2284	4608	msedge.exe	91
PID 4608 wrote to memory of 4820	4608	msedge.exe	92
PID 4608 wrote to memory of 4820	4608	msedge.exe	92
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93
PID 4608 wrote to memory of 5092	4608	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.xnview.com/update.php?app=0&lang=en&version=2.51.4&nversion=2.52.0&os=0&t=1738524269&key=515ba1dce7ddd76c03dfd5b48fa6c0d7
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffbc2c746f8,0x7ffbc2c74708,0x7ffbc2c74718
    3⤵
    PID:4544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
    3⤵
    PID:2284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
    3⤵
    PID:5092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
    3⤵
    PID:2032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:3604
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
    3⤵
    PID:3716
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
    3⤵
    PID:3416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
    3⤵
    PID:4240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
    3⤵
    PID:3632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
    3⤵
    PID:2940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,18209934912942076364,8064572343945597958,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\78F4C54FBC53537728A59512D8EEACFC

Filesize
504B

MD5
12cb057c2117621eb95d7dcffead463a

SHA1
7af1ba938bfb51e00f51d304efdb4ad08db6c801

SHA256
8059fc5937b7dc90c266bf4058e8eb1469e950947ad3acbee45aebe5605bf7ae

SHA512
8d8fb9056da77eb1308167621f60f21b0d375bd158bbb69df3129398f3a12b5a2490e5ad8ff61dfe17d52e35cd2812a1d70185158f116420135afe285d7884ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
7adb7259b5b22a338792da5449341127

SHA1
4b080647daea580f3b929c650261a00f42d0ec1f

SHA256
b5f04b169cee27a0a2dc6452e94d6a898ac5eeac403206d778500f6e2f4ba6b0

SHA512
92b79073d385c2e3df340dcee8f194e8d087ad6937d989345baa51ae26fa580b8a4d5d1dfefb60e62e29a28d58a14664bad4d2018f7e16c4a4cc0f061b0e93c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\78F4C54FBC53537728A59512D8EEACFC

Filesize
554B

MD5
619f499fd6a10e0ab7ed11c176edd68d

SHA1
190c008e71595bca5c9b262a332213809dd18f4b

SHA256
22d0fce2e567135048d76f497208c0a7f83a86358a7f68600ea9463e1f9c9476

SHA512
101a6030f938a0c8d6c6943586415e75aea7fc433074ffcf0913e3929f43646aa713567a3355205c55837676846bd2eaeb8ce76c0935f8945ab96fbda0daca54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8ea156392347ae1e43bf6f4c7b7bc6ec

SHA1
7e1230dd6103043d1c5d9984384f93dab02500a6

SHA256
40b28bf59b3e2026ad3ebe2fecf464a03d7094fd9b26292477ad264d4efc1c75

SHA512
2479b86a9a31aa2f260ff6a1c963691994242ced728a27ffa2ee4e224945446a191bdb49ce399ec5a7d5d362499716133072e97d4253b5b4f09582d58b25144f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7b5a5433fe76697fec05973806a648c

SHA1
786027abe836d4d8ff674c463e5bb02c4a957b70

SHA256
c8d623536ebdf5ffbefb84013d1c8ff5f853b59f1b09c80364c32b8ed5e4a735

SHA512
27be4c82e26468bbb9ce698ef305320f6cac46c953f88c714a0372fa524d098b9af2a87a88b14a134ff0f5f4b3d671902908622d2c7ec48e2c7bc458d7f5cc16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
8420ca8b41fb189160013ddffb2cdbcb

SHA1
bc58d01d579927cd99788a7f4657a9ac7d4e87bb

SHA256
6c05d8bd0630bbd40b0bb4239b614028f78cac0bb3d7f0389f378c047b08d1e2

SHA512
49defc12c94d45a12d39c5f865a765e110db1f5f645924286af1dc3ba4eea59963234b4989dd09b2a1436d959d455d2d8ed54199f1830e26171b6482b38b603f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d91afcd842b1a484a791141fc78e5d6b

SHA1
402aa6e008150da88ec03ca7f6d6a1a3562e3841

SHA256
8fd1b99a428663829a9db36c587ca75808ef436c1e17a0f159a7d6356d3a6965

SHA512
c0f0a9c061a0528fb1312233019506f03789cfc6822e819227b1ca53d03860e20a4bb1cae13e573e1998ce8a0e633c3298d98b1f6a32ba4a1dcbcf59e47e98f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b3ec49af3a734274182c152076e3ff2

SHA1
7d0c378bd7c291a7d290fa886ea331b53f3462e8

SHA256
10b53e2627af0673f0d584b4e79e93bd437c40dd55a4ad9278070f979a8cf6f3

SHA512
c078b1d18e31b11436d4a674fafd3e337a41b4ce35338abe78ae7581ea35ac6fc0b0eec4d56ca1e18bcebe3eba7f7e9bc14a1bad3f65324715e752c050c2286c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
60a3f33aa4132ecf3f62ec5c277ff723

SHA1
d9e79060bfdf0337aac0a16e55aec4ce5fbd6cfb

SHA256
5b734ce69c53d259d834e155fca43d2c28c9603edd62c2c0c324cf042c954c0e

SHA512
c2e82cd21c09668c358b3ac0d84a7ff9a3575e3b34d9d48caf0ceaeb7a13ec3c7c5ca70fa75aeb71a6000a5a2e93053772a3cd4225e20559a1ed7f795879cffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
610b7e12264d7934e838c6b832eb5279

SHA1
7aef0976540be93c33dad99c606e47b7d676cbaf

SHA256
4ef8ba86fcfc7228eccb6a994ec13eb468e0c6dad8000a35c92b6ff84f7070e3

SHA512
dc6146b57adfb62eba131a5bee7b7746ca0fe5dc073e2515360045a0dfcf0d7e77065283a7cc0eb0f7b2b0090830ce65cb4831b68793072ae6f8d7bbecbb9f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\8A8DAC01078.tmp

Filesize
6.8MB

MD5
e3e17c335176a3b42e36fe2149f03fc9

SHA1
0834f657ec67affccd8af7dd18f08108aa8cc9a4

SHA256
796c2df5f588660107d9efb6778b5e41e69a457cf3b4a5d74ca85adb13521457

SHA512
1a10c9f323de35abc0825d21e49561498b8ed224c309ec5bd9f4836d33be6dc95dfdeeddbf08d02ba32b8a902a812254bf5cde4c264d8ba240dee7c48bac513b

Download Submit
C:\Users\Admin\Desktop\XnView.lnk

Filesize
1KB

MD5
533c3cf90d86b1afe6015e1ac3e86003

SHA1
58720320272e363b71fddb13f665e6d3c6fa1c6b

SHA256
1ca165b31180ff22b9d768e3352808d26cfc6178855f6a928c0648d36061961f

SHA512
ea0e1b2c9a4b604f0046e8f1f120224972dac0f47898a102258e07ff57ccb1bc583f13556ca803aedae4bc86a03dfc6f8a0124c271ea63e4986e8311f71aa72e

Download Submit
memory/4216-87-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4216-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4216-128-0x0000000000030000-0x0000000000742000-memory.dmp

Filesize
7.1MB

Download
memory/4216-129-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4216-200-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4216-88-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4216-86-0x0000000000030000-0x0000000000742000-memory.dmp

Filesize
7.1MB

Download
memory/4216-268-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download