floxif | e7947f62c01f0fa2ef92bebe73a1ddc163eef89ec7ad231d7e13daf50914afa9

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Size

6.8MB
MD5

089ba18e92ea40793fa952c00c8c6223
SHA1

354248b307863503a550eef99bb5a1166bd616b0
SHA256

e7947f62c01f0fa2ef92bebe73a1ddc163eef89ec7ad231d7e13daf50914afa9
SHA512

2f08f52f96a65864f340f307bf427fe676e5954017340c1fcfc62c6ea4d631bc49016a29921a52d6ad6d01ae78d66591954c4376ef71cb4935a263ec34fdc207
SSDEEP

98304:9kuJz1xn3h6i02uaYmGSGT17L6z6GO9Pcgv5nWfBY8C8fhlH2vef9Ivsb:9Jl3h6i02uaYnSGTF6c9PcuqYmf2Gb

Score

10^/10

floxif backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000c000000023b83-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b83-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b83-1.dat	upx
behavioral2/memory/2188-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2188-88-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2188-125-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2188-201-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2188-271-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe\" \"%1\""	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe\" \"%1\""	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell\open\command	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell\open	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\DefaultIcon	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe,0"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\ = "XnView Image"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\DefaultIcon	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe,0"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe,0"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\command	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe,0"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell\open\command	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XnView.Image\shell\open	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\xnview.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe\" \"%1\""	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\command	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe\" \"%1\""	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with XnView\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe,0"	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with XnView\DefaultIcon	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
2448	msedge.exe
2448	msedge.exe
3116	msedge.exe
3116	msedge.exe
1080	identity_helper.exe
1080	identity_helper.exe
2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 3116	2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe	88
PID 2188 wrote to memory of 3116	2188	2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe	88
PID 3116 wrote to memory of 4784	3116	msedge.exe	89
PID 3116 wrote to memory of 4784	3116	msedge.exe	89
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 3340	3116	msedge.exe	90
PID 3116 wrote to memory of 2448	3116	msedge.exe	91
PID 3116 wrote to memory of 2448	3116	msedge.exe	91
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92
PID 3116 wrote to memory of 3788	3116	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-02_089ba18e92ea40793fa952c00c8c6223_bkransomware_floxif_hijackloader.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.xnview.com/update.php?app=0&lang=en&version=2.51.4&nversion=2.52.0&os=0&t=1738524461&key=515ba1dce7ddd76c03dfd5b48fa6c0d7
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e87546f8,0x7ff9e8754708,0x7ff9e8754718
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:3340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
    3⤵
    PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:3388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
    3⤵
    PID:1428
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
    3⤵
    PID:3528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
    3⤵
    PID:2172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
    3⤵
    PID:3956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
    3⤵
    PID:1892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17982653852369962708,17961215180936156531,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\78F4C54FBC53537728A59512D8EEACFC

Filesize
504B

MD5
12cb057c2117621eb95d7dcffead463a

SHA1
7af1ba938bfb51e00f51d304efdb4ad08db6c801

SHA256
8059fc5937b7dc90c266bf4058e8eb1469e950947ad3acbee45aebe5605bf7ae

SHA512
8d8fb9056da77eb1308167621f60f21b0d375bd158bbb69df3129398f3a12b5a2490e5ad8ff61dfe17d52e35cd2812a1d70185158f116420135afe285d7884ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
680a4eb4a1ab83cf5f6cdef299630b55

SHA1
b9e64fe7d4cb71c2b7521c02e75e5769eede9c03

SHA256
094459dd315ee3efc26fa5cc29717d6a34814b06b8500cd59d83c5e47eb654c8

SHA512
44ed81a947910147fca92d4d08b0c97252830ce030bd4bbec6304558133de27aab82a31a662dafd7c0d3a0f1547cd7eae85fd0df2440efccc4fa1f8fafa22ef2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\78F4C54FBC53537728A59512D8EEACFC

Filesize
554B

MD5
2386bc60b2a2ec9feea5933a71ce8949

SHA1
02edb3bdda92b8f41ea67f6df1d9cc78f768b169

SHA256
5949ec66af841ccc60ba2036bfae96f513ed8a41bcf4ece08a7eed810fb0078e

SHA512
1f72f2dfba016d35157f6d1466b29272ca0d00fed275ebf981a4eadcdc5b0cec71995485f9702c6f0885ae0483d0b2aba1c461f43ae4cdcf2365c3f6b736308a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
65a84cd7925378cc74972cc4e677ecef

SHA1
30b4da4c5dbd0cc77d756d270ad260ef74987ccf

SHA256
7be0a4cebd74cb4d879e3f9950f5ac5a05acc3bdc415bbf9d3dd691cccee2cb5

SHA512
ef142224cc0b94a1c5585836988a0d544e7e8b5e8573a1893c9fac528a1ccbbab6c9c7acaad7cfec1a415544bbdcdfd1d0c5e0a0819cb94107fd81989df18704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
62e6ffe7501e581c80b178323e921b81

SHA1
d0881a3d0aee1c256291d34a90e3092fffa60ce2

SHA256
a4f50a6b36e27013a694382c996a1d3059d38310a138f21aa25cc682be5cb0e5

SHA512
0c4e34fc9a7c5308b1cd05ea71d78c75a9fb85267d7f3e5616dbc1390794941eb549bcc70f7430046ca79cc0055edf0bd51b8eb43f84ee42163dd34d612ba137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
2cd0e1d28f9400dd3b46368c092913b7

SHA1
1a86909e7f9a38697fbf9fe5189f990be700c518

SHA256
253c71f19213769c67234c345b186b477ab02fbc1d55357cd027545eae9f2cd4

SHA512
fc315be299ea9c62cb0aa081a2c345737ac297ce46b50fb4a3b4f99b9f75d470c87b542b36a37327a9ae6527cd985f862187eac0f0c1edfe0a48e4b2c8f8eed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
af76a15c1d92dc815ae0050a74f003ae

SHA1
4db1ec1e63569334cf0ac88f6ee2f2f8b4b31170

SHA256
4bdfb8075b570980c4e5b48bb78fd0548aa16032f2b9aa97b636e7c548fcf197

SHA512
06dd249230cad634025f2c808d0a4c3714fd0d8d8b1d08b00fefe46418f2d38f58512cc1a8987fc795c4e59912704117a0afe8ade9e1127d8af5cdbed6284d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e818afd03d2e44d42b16f9fdb28b65c

SHA1
e3b1e66dd750333b082e3cd22e855f8ae5f892b6

SHA256
69c7d81708856720b457b9f3a14c61a309ebf24d94a42db5d70f9a8efe6e434e

SHA512
2a529b6133a6fe9c7657e287b16093516a6a1eee39ac59fe043112162876a3f1b01cdbdd3767ddf37589abd870f1ec8a5326308e9b5021f70777c258fadd8ed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fc2bff7c64c24cf8b0b8a95b2990152d

SHA1
d2e31ac4312b7b0f3a9e740f657644e5dd9866f0

SHA256
a2c4b2aad403ba5a0c31d3288267d70fabb4d8efed92cf4ce0979a6d3b091318

SHA512
1424c695ea87b219c738afdfce3aafc040f542e8a7c526418f19199cb1583504fd51a02557cef64a953eebcb8408e64b057a9094d8bed50874bcd5295301d729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ded0f44dc28b8d13dc4e1fa4e07d71e2

SHA1
5071fc47aedb7b773a46c1e72f26c7a6b211c4fe

SHA256
ebca878395737f1eceaf50704a2cddf80a26c964c56f60933258efbf28431af5

SHA512
128d09fa6f31f17c5ce413fde0ed781948d43b94c79f94d1909415e5d2ce03a98211e3ce4c0dad4d620df095843725035ee924e61db38d96e2a6e058841e608b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\A8E2D5C88C.tmp

Filesize
6.8MB

MD5
e3e17c335176a3b42e36fe2149f03fc9

SHA1
0834f657ec67affccd8af7dd18f08108aa8cc9a4

SHA256
796c2df5f588660107d9efb6778b5e41e69a457cf3b4a5d74ca85adb13521457

SHA512
1a10c9f323de35abc0825d21e49561498b8ed224c309ec5bd9f4836d33be6dc95dfdeeddbf08d02ba32b8a902a812254bf5cde4c264d8ba240dee7c48bac513b

Download Submit
C:\Users\Admin\Desktop\XnView.lnk

Filesize
1KB

MD5
cb9a322c2f430244ba6e5b5101ca04c0

SHA1
d5f85caf3576b6f54ac8996a4672b448b3682e3a

SHA256
10efaca05c6c995dc008c91bb0e351a07ccd0fdcfec7fe539a09e69bd50bec7c

SHA512
ac54aa16e27cb4daa196de8fd912712c59e0d4ef5c40a4f7746a9deec9ac8cdfe5de4f59dc95d4043183a3e6463f903c642db5f29cc6d5f633c2b6fbb5b7a4cf

Download Submit
memory/2188-88-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2188-124-0x0000000000060000-0x0000000000772000-memory.dmp

Filesize
7.1MB

Download
memory/2188-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2188-201-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2188-86-0x0000000000060000-0x0000000000772000-memory.dmp

Filesize
7.1MB

Download
memory/2188-125-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2188-271-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download