floxif | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/MrsMajors/MrsMajor3[.]0[.]exe

max time kernel
150s
max time network
151s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
18/03/2025, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/MrsMajors/MrsMajor3.0.exe

Score

10^/10

floxif backdoor bootkit discovery persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0007000000027fda-842.dat	floxif

Downloads MZ/PE file 5 IoCs

flow	pid	Process
116	3620	msedge.exe
116	3620	msedge.exe
116	3620	msedge.exe
116	3620	msedge.exe
116	3620	msedge.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000027fda-842.dat	acprotect

Executes dropped EXE 15 IoCs

pid	Process
2928	Floxif.exe
2144	Mabezat.exe
3564	xpaj.exe
3264	xpaj.exe
1172	xpaj.exe
2120	xpaj.exe
980	xpaj.exe
4704	xpaj.exe
4588	xpaj.exe
836	xpajB.exe
4936	xpajB.exe
1136	xpajB.exe
4468	xpajB.exe
4340	xpajB.exe
1032	xpajB.exe

Loads dropped DLL 12 IoCs

pid	Process
2928	Floxif.exe
2584	msedge.exe
2520	msedge.exe
1640	msedge.exe
1640	msedge.exe
2440	msedge.exe
2440	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2092	msedge.exe
2092	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
113	raw.githubusercontent.com
114	raw.githubusercontent.com
115	raw.githubusercontent.com
116	raw.githubusercontent.com
111	raw.githubusercontent.com
112	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000027fda-842.dat	upx
behavioral1/memory/2928-845-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2928-848-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penchs.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClient.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF64.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\oneds.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msadcer.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_lt.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabimp.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_helper.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_sl.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\rtscom.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdate.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\wdag.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\sqmapi.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\EppManifest.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_tt.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\vulkan-1.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_fr-CA.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_cy.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msvcp140_codecvt_ids.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msadds.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msxactps.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\concrt140.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll	xpaj.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	Floxif.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpAsDesc.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_fi.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwgst.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_bg.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_hr.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_111125\javaw.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\webview2_integration.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\psuser_64.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\dual_engine_adapter_x64.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\microsoft_shell_integration.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_tr.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsiProvider.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_en.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\libGLESv2.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_mr.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_cs.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_kok.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Windows.Presentation.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\psmachine_64.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll	xpaj.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1261676866\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1078180928\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1865343439\office_endpoints_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_473155825\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1708651418\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1865343439\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_473155825\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1078180928\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1708651418\nav_config.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1708651418\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1865343439\smart_switch_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_473155825\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_473155825\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1261676866\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1078180928\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_1865343439\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2712_473155825\manifest.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1652	2928	WerFault.exe	115
4988	2928	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpajB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpajB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabezat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpajB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpajB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpajB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpajB.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133867988081981775"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3174447216-2582055397-1659630574-1000\{B1323A00-597A-4A6D-8528-55FDF5757634}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2584	msedge.exe
2584	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
2712	msedge.exe
836	xpajB.exe
4936	xpajB.exe
1136	xpajB.exe
4468	xpajB.exe
4340	xpajB.exe
1032	xpajB.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	Floxif.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
3564	xpaj.exe
3264	xpaj.exe
1172	xpaj.exe
2120	xpaj.exe
980	xpaj.exe
4704	xpaj.exe
4588	xpaj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1504	2712	msedge.exe	81
PID 2712 wrote to memory of 1504	2712	msedge.exe	81
PID 2712 wrote to memory of 3620	2712	msedge.exe	82
PID 2712 wrote to memory of 3620	2712	msedge.exe	82
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 2448	2712	msedge.exe	83
PID 2712 wrote to memory of 4496	2712	msedge.exe	84
PID 2712 wrote to memory of 4496	2712	msedge.exe	84
PID 2712 wrote to memory of 4496	2712	msedge.exe	84
PID 2712 wrote to memory of 4496	2712	msedge.exe	84
PID 2712 wrote to memory of 4496	2712	msedge.exe	84
PID 2712 wrote to memory of 4496	2712	msedge.exe	84
PID 2712 wrote to memory of 4496	2712	msedge.exe	84
PID 2712 wrote to memory of 4496	2712	msedge.exe	84
PID 2712 wrote to memory of 4496	2712	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/MrsMajors/MrsMajor3.0.exe
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x274,0x7ffc6bd7f208,0x7ffc6bd7f214,0x7ffc6bd7f220
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1892,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2332,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=2328 /prefetch:2
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2220,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3540,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3548,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4252,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4284,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:2
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3768,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3716,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3708,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=3712 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5420,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=3732 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5980,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5980,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6160,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6196,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5164,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6572,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6732,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6740 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6908,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6920 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6936,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6900 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=604,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4644,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4672,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5332,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6704 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=5368,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2820,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:2172
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 480
    3⤵
    - Program crash
    PID:1652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 488
    3⤵
    - Program crash
    PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4548,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6784 /prefetch:8
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7092,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6716,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6736,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6136,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=6568,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6696,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7000,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=7100,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5084,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=1760 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7140,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:3172
- C:\Users\Admin\Downloads\Mabezat.exe
  "C:\Users\Admin\Downloads\Mabezat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5396,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=6312,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6264,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6540 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7104,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  PID:4396
- C:\Users\Admin\Downloads\xpaj.exe
  "C:\Users\Admin\Downloads\xpaj.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3564
- C:\Users\Admin\Downloads\xpaj.exe
  "C:\Users\Admin\Downloads\xpaj.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4532,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=7088 /prefetch:8
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- C:\Users\Admin\Downloads\xpaj.exe
  "C:\Users\Admin\Downloads\xpaj.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1172
- C:\Users\Admin\Downloads\xpaj.exe
  "C:\Users\Admin\Downloads\xpaj.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2120
- C:\Users\Admin\Downloads\xpaj.exe
  "C:\Users\Admin\Downloads\xpaj.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:980
- C:\Users\Admin\Downloads\xpaj.exe
  "C:\Users\Admin\Downloads\xpaj.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6960,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=7252 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2520
- C:\Users\Admin\Downloads\xpaj.exe
  "C:\Users\Admin\Downloads\xpaj.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=7400,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=7404 /prefetch:1
  2⤵
  - Loads dropped DLL
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4580,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=3700 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5416,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2440
- C:\Users\Admin\Downloads\xpajB.exe
  "C:\Users\Admin\Downloads\xpajB.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:836
- C:\Users\Admin\Downloads\xpajB.exe
  "C:\Users\Admin\Downloads\xpajB.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4936
- C:\Users\Admin\Downloads\xpajB.exe
  "C:\Users\Admin\Downloads\xpajB.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1136
- C:\Users\Admin\Downloads\xpajB.exe
  "C:\Users\Admin\Downloads\xpajB.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4468
- C:\Users\Admin\Downloads\xpajB.exe
  "C:\Users\Admin\Downloads\xpajB.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4340
- C:\Users\Admin\Downloads\xpajB.exe
  "C:\Users\Admin\Downloads\xpajB.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5844,i,15250475804550623349,7428021020787957763,262144 --variations-seed-version --mojo-platform-channel-handle=7160 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2928 -ip 2928
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2928 -ip 2928
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge_elf.dll

Filesize
3.7MB

MD5
2803823983a46b8365b16cee5a3c43b9

SHA1
3b92ed9066aeba4365b2adddb90a69773827dc1d

SHA256
a063c2ab9fa977be97640234080abd15626bd7de3539decea60d9aea98688a6a

SHA512
d164d7cdd54b375eba0e35b8707f3b626cd01043f152328369ad6a5f70e14f16fada96c7c06afc1eb885145d15bf5f9d8d3c3776f9cc54d92ffd195400c264ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
72KB

MD5
ccf7e487353602c57e2e743d047aca36

SHA1
99f66919152d67a882685a41b7130af5f7703888

SHA256
eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914

SHA512
dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
a46a324553367dc0b13a007305e4f102

SHA1
005a700ac0bf4429024f9e857e2281f82f370aed

SHA256
a718f2fe90be4422382450b4959840a13d6d18dea09d3da5394624198a126063

SHA512
d3b9fcde15be13451aa441070d9143fc53faa6a2725adea7fb9c340bcb9d7ea183dc1b36c0f8ec21c1748c80bc8fa03a14f198c2fc914c9f8e81702bd8e18399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
29f13140c50c2394177caf96baf3a5c0

SHA1
680e35060382a846752eb208b62de077d31fd1eb

SHA256
f4554eb3e1e133edb5f5f01e19539ffc52adc0b346e19c4742a815e7a92b2dcb

SHA512
d964d066a2913d3b6eb73925160d7e9d79a94ae5c6e3956cd361b54fe53833b311990a91346917bc90b227301d864939f6a5a417ff52ef9fe8e21971b1a661fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
10ac683b6c0ddc37f49da41482009a11

SHA1
9dfddcb8edc0dc39db2012892b9d0cf02dd4d2ac

SHA256
98d0b393a8dfe6e01b3a88d32c071846d3727e4c0a508e715e274c3c24528c3a

SHA512
989776169db685fbf04ff0f7ce2f01abf98343d2150aadadeaffa411343a07d871357594e3fa43d95d40fcb8ff99106fe552be9148b640b5336fe8454ded1b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d580.TMP

Filesize
3KB

MD5
02a4c9a1b3ce6e16fc2ddc45af346e94

SHA1
6acf2a36d79bde1aa831c3aa8fb1d3d61557191d

SHA256
4b8144c76b567e5817206a3965df28dd829442c12c6ca7f77108828a41aa5e05

SHA512
15c1f5bd44269b5d6abcb09979db15f26048a13e18dd3743c034cd89e2b29e53b5f31e5c75fc387a924790eb641a3722b877c59fdd8e961b8cd313c65d2d39d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content_new.js

Filesize
10KB

MD5
3de1e7d989c232fc1b58f4e32de15d64

SHA1
42b152ea7e7f31a964914f344543b8bf14b5f558

SHA256
d4aa4602a1590a4b8a1bce8b8d670264c9fb532adc97a72bc10c43343650385a

SHA512
177e5bdf3a1149b0229b6297baf7b122602f7bd753f96aa41ccf2d15b2bcf6af368a39bb20336ccce121645ec097f6bedb94666c74acb6174eb728fbfc43bc2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e8d33c75e1495bab1bbb6eae2075ec40

SHA1
aa0a65956d215e8e077fd8777c9c5a42401aa462

SHA256
9e98b43dad56bfc84e812503f846aa9586d1ee6f946fc9035ea743aab17db54e

SHA512
3d31be1707d75865d70dcf5f3c93403db4c7774c794ea49da76c9fce51acc6da91faa86a618fda899f9a8a423de2e0cd97d9b9956a5025df4f60a83401c78b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
8fdea1454867271d9e161ef54b494255

SHA1
94aa7fbb0b525df2b7c63cf05e2c9f0c12e34a0e

SHA256
80cdf6fbed7f8552a0b64f9ea83ebbf0f3e8ab2d0deb27356585f92573d809e4

SHA512
c519cb4a9d0e89c5964af66ebef3a9422ba7e5fc8aaa9acf579f7850f256f02dfb49abc35fe85425219d9522909252db10270c70e4c3a91e54eb3d297f1d08a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
bef1619cccd920453cd5ec29da747b23

SHA1
2f38bebe75e6f9f777718efc3d12884decb7d549

SHA256
c9bc8f45e5adc0c063c890fc003d3cdc768361944807aa62ee5a600df9a01ed5

SHA512
b1e481ca00ea4d08d9b72d82fef590dc0fef8d2c7825325aedd21ab650dab314f6d24fd4ef7189c46441362026d1f8f5505f268717fa846b798b8526fe01a6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
22af9e720e485208d1769242b2e9d6e1

SHA1
62d5ca45b5fa796bd719af8f162a82626e6861b1

SHA256
a32e6b666fce175e701f8264900ee0eefa0cff1f8b1473636066d83f3f5953f3

SHA512
3eff89780e39fd5bb7dcba81135fe636c93a856526fa8de0d491d51248090b1ed346cc31751fa67e651ff59b5a29b6b10d23de32a3cfcd3124e2cbe743575e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
44231e8a5de87b035457322992429659

SHA1
e1a50631158c0a3705633626356adc6097934214

SHA256
291dc49b19b5b0aecc399399756c48ef2d38231c70c6f9f6f35f04ae41484b8f

SHA512
d63686752068caf82deb9396bc856f31219a7dc9d4779ff930b5be719becc8bd591e112ac29db4a3271c7286c162b56b294da783de9c3c0bcb16bba8b6310c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
880B

MD5
98ceb546f11b019ab5630c1bde58e42b

SHA1
524d98d32908557a274cf16104f55b3783079562

SHA256
03709788f73940e32f38b5d35eeddb900f6a443299f173d6c89ca65edf3d0f6e

SHA512
4841424f6038bc3d9eb6b467d63d2b5a142b35554759197e36671aa953e8c62ea5c80558a6bcc54173873dce1309d8bb321209a9e0817e3d9e6e35a0c5344468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
21KB

MD5
0dde4099c0e31d37bf69454843741fe5

SHA1
239f47c87ca66759f975682b950bb7e88eb75e69

SHA256
797dc3e8f3ae1443dc0188020262db06eaeeb476ca76a9f66ee93d6f7a0e0746

SHA512
f9ca567f8aa877066a66dbacc6cc9bc04e806e3b8a14e1d05f6161b30ba4786fc29829396b7f7a7a813a0625dc88be0f80c3a9274e78f53fde2aad2806e46614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5854b3.TMP

Filesize
469B

MD5
4b3bba5c805a3ef249b650e3c21d139e

SHA1
11c5522e87bca2417520a0d4c6acc26e3b978aa4

SHA256
095501b9ef786ffc591e07f73ba07074deffc8a6fc148c66bfac6ea23905c56e

SHA512
bac7c6bb29d9e76751ada66b9601219cb2ea4120f0d0171891ce88cd5ddef99368a9fceea9f7e387ad48d270b76cdad48a6a4d9bf85dbb1f14d5e39c655f31c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
20KB

MD5
622cf13abe8c4ba81acbbe4070f8d70a

SHA1
29c39577de789602617632a1ee745e5897805fa7

SHA256
b91863cb7dfb695e04f8be6b437f67ba669d1cfbd407a3418cccf12919c7dab4

SHA512
25d382c5ef4691018d62f05e28a6d2c321218e1586646b2e628350968f2475d30a13c53c5055bea16451111b1c566e53003af3e2afe3a9e5a3785255069c23f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
2KB

MD5
ee334aba4dd4fb9caec2da190449504a

SHA1
83d86913e3555e9a83208a777607a621965e9d77

SHA256
762156ec3519d73a52878b137bd506781d5ce93e10336f2010ec52ea9ab78536

SHA512
5863b59c91b1045cb69c5a8feefc32d579f615c3d1480d13369aff2cdf521e7d991424c4edb61f58b1da763e0bbb98f02cc56b0d9fc01236db2f4acc799b58f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
73ea810d2552f33b43153a5c36ff4f81

SHA1
90f4e62399bc9356ff0b5856289ecf444fd0f2fa

SHA256
e615a09a77a3099961b7bce7550beca2c41ec9f01385bc41cbc88513ef76cc3b

SHA512
eefdf2d2e2e03f6a1642ad61777427a688f2f6e00adc41439f97df6fc7e5c97afff7d3d527d2ca81805cfa4af9cf9dd537e5704ec57d7909d336ebfe226093f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
166056a21be691543c50abcd0b22ce1b

SHA1
9693050165bb10cebe51e17e23aa578a8e159f56

SHA256
60de5b1288b59049a024568be57419e909d81372b979f1c185c0dabe142ca810

SHA512
32c7c5ae2d92192188021a54346e0e495f3c8bc347ad515c834acfe5d906f446825a36e6c084866ef8ccfdbf4bc618b99ccbe4a081de330cf69e40226443d218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
f2640898211038cc88ce95115d553107

SHA1
d58bdb1b201a06e0ab2adb668edcb897d37fe029

SHA256
bdb3104e1bb68d207cd3e9c3c02c0319c5bd93e6c6284a95664d46769a4b023f

SHA512
047d18dd66ed0ba671e03369357399a4780f1c2681e49c79ad47247f20eb1dd211b1cf8034a6f6b58f2d7afa832117e84fa445d1ab11a28f264ae90298632b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
f23ac7d1dff7586cb8f761f118511e17

SHA1
69c2c334678ece0bd40223f21c2e15f5a84303f6

SHA256
05f7f53aaf5efc437a7b85cbbce78b3a8b70de3f2eea704e9fb6644f00a1aa27

SHA512
0505d3db8e9fdc6eab0fa062e47b3128e68b83a597546dbfde8a807bf53c4eefc8e3e4c8074bf103cf12c871066e2d3f6d6fbfbd7797ff9118aec1a359c64ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
6297947723400b77a49eee609828a20e

SHA1
16900f465f1f6f597f2f271352b6c15bd5489b6e

SHA256
4fac1de2a9b58577051af74fd8c5f4aec8fd523c025107c0ace807923ddf2912

SHA512
81189117adf5ba5a1b74298153e3d56ed2e44528a5aac9498b3e7f007cdef969f7a430d5a38e0eba9c3ba78c3bbf1119f3a4c075e80cb22ff48b2d121c17186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
b2b51082892a4639b31d6829f753681a

SHA1
909efd39d6998641e673993d3f9d18dfea2cc607

SHA256
f7d60a551eb7adacf72f7778beee034e92145196e213206f8b4ceb9f2dbb4ca9

SHA512
a86567843bc35711ed2c5283f8730642a38bf66a5763ee0d258609a9ec380698967d528ca94ac5e690d88393f288851d3572e902de0512e1340b58c3f08a054f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
d546dbe6bfcd7c90b923703c0f59c1eb

SHA1
c338c3f88553618664b8c5dbbc4e8dd1d0fa30e4

SHA256
dbccd4e14d41f6e783cbdc96cb4b1d823b82ad03db0868ec11cf217101ef9a81

SHA512
9b6e351bb0b18372300343e24b01703a21d6fcf3907a775c5c780a66e22896b3b7b8e1243e9fb88fbdf504edeb6be8c8c9385c4951e997cb3ca5c87608b25868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
24d10020d44c8649a054a9c3dde76123

SHA1
99dbf0a2c33f980ee220ef51dbb34edb8784d518

SHA256
27ea9417bcaed0e49629e8bb620a5351159a3f67bca7658b8bfde126b105345c

SHA512
d514afce1182d3a3d8a66aeecefd47fc715fda06db82e8dafc89abc2c68bcc059af293ed3498ef0dae479b07a7bff308fbbd0cafdb28344ea91116f9791f5d7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
bdecabf176a725e9c362033e7d7d10ee

SHA1
199da3ee38e896df214387192475ccaed1872b2d

SHA256
a95619568ad00bffcf46edae0ab6abfe7dc9ec34a3bfa25cd3063290c27dd528

SHA512
3eb749fcf11ce7b1570a032fe66158558f9a1c7beb061e36532cdca7c7672a36bc3f3cb05ccce4e69b98810c11ce2cb921d7815fc36ba0fd1a416a7b3741beee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
de6169701b8aeceadabcffd9b7545e1c

SHA1
d54ce3b8c963c3b0a1befd529b992cd747b63b71

SHA256
062bc9dba7f9f14073177b65bc0db1bd10984fb5c360586b77eaff1ce2dc28fa

SHA512
091b3877e18d24d7ddbee159d55280759516ed4a8d40a48143916ec6957eb437bb9fb1bcbc79bdd0c7bfd021839a2784f381c35a382cb6eb2584554814f4a245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
71329c03e503167be02648f7df37ba80

SHA1
dab2efe80c3808af9ee9bae4c3264b362f8804c7

SHA256
ebaf776d5dfff2d9b29439376ebd813f6607373bf2d9c8d3b21857eb02b4b2b2

SHA512
3bdcd0300675200f3afd649ec9fe0804cabfed858fe554975e6eee4682d81d16ceb54bf2f5db6c793b9fcff55b8c79e1f7f9ffc3677c2e44d28ece284b3cfa6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
bc3c38472d1e9acf2def2d9a8e4577a5

SHA1
2029c4576af01aa087ea5fd5e85590312321a76f

SHA256
dc98b42fcf65dd6ff792c49435e2ef95907dc2e6e1d90e3790f73215d003346a

SHA512
0b923310062834751f81128f90a5b11c820ff3397bab502d599cf2cd17f29330d3d65fcfeda091e5019974b40bbb984282657ca009b8cbd4a166b89e759cbbe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
9793a5e92b6f7ae4c07cc0b30d8f4eb6

SHA1
a3fe15926925e517740dcd009b22de703ed13aa9

SHA256
5551d0acad72a59a82aa0c81aca8357574c8cafd8698585324a2fcd889fe3e03

SHA512
79bb1954a945a6ebde0c65054fe53a04757a34e27c5dc1e4b5063302aa487b10aa2372b130813e54a358e7a9aac8e3d0d0462c0bacdb35963041b75128778a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe5852fd.TMP

Filesize
392B

MD5
07b242713af1c284bfe97656ca48aaec

SHA1
6549be759c9fc7b8d004f26e99f84dc70925b0a1

SHA256
bf9719f21faef580b9416321feabe3e3c84aa5d0aaaed9fe3d2e70c6cc23fc66

SHA512
042ef410a8d4748a00db9f3bdd0fd8739b4ca0e302b17b0fadc95fd6ae70f895492b9c5653c0b39421fe0d06d2ae314ccd3a953d713779488168ee5f829ed24f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
ae756e12284c9bcba8f9dc54da98f756

SHA1
60a0fae6fc133b202b0b87690627fbac7b150523

SHA256
1f8b216db2d863d2c6fb0fec035eedd75098890d6002609e17dcf7331f7ff6d0

SHA512
2fced21eeee7c9a657f8142ad966fe61c91c1ccb95bd152ecbc672a12485baa29fc1b666c96cec54ac721a963f890a66803d7a89809fc559a261b6bf2c3a31a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\97e84d30-4076-4136-8591-ff6bf123b21b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\Downloads\Floxif.exe.crdownload

Filesize
532KB

MD5
00add4a97311b2b8b6264674335caab6

SHA1
3688de985909cc9f9fa6e0a4f2e43d986fe6d0ec

SHA256
812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f

SHA512
aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70

Download Submit
C:\Users\Admin\Downloads\Mabezat.exe

Filesize
141KB

MD5
de8d08a3018dfe8fd04ed525d30bb612

SHA1
a65d97c20e777d04fb4f3c465b82e8c456edba24

SHA256
2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb

SHA512
cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a

Download Submit
C:\Users\Admin\Downloads\MadMan.exe

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Walker.com

Filesize
4KB

MD5
93ceffafe7bb69ec3f9b4a90908ece46

SHA1
14c85fa8930f8bfbe1f9102a10f4b03d24a16d02

SHA256
b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07

SHA512
c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144

Download Submit
C:\Users\Admin\Downloads\xpaj.exe.crdownload

Filesize
219KB

MD5
d5c12fcfeebbe63f74026601cd7f39b2

SHA1
50281de9abb1bec1b6a1f13ccd3ce3493dee8850

SHA256
9db7ef2d1495dba921f3084b05d95e418a16f4c5e8de93738abef2479ad5b0da

SHA512
132d8c08f40a578c1dc6ac029bf2a61535087ce949ff84dbec8577505c4462358a1d9ef6cd3f58078fdcae5261d7a87348a701c28ce2357f17ecc2bc9da15b4e

Download Submit
C:\Users\Admin\Downloads\xpajB.exe

Filesize
520KB

MD5
bd76fc01deed43cd6e368a1f860d44ed

SHA1
a2e241e9af346714e93c0600f160d05c95839768

SHA256
e04c85cd4bffa1f5465ff62c9baf0b29b7b2faddf7362789013fbac8c90268bf

SHA512
d0ebe108f5baf156ecd9e1bf41e23a76b043fcaac78ff5761fdca2740b71241bd827e861ada957891fbc426b3d7baa87d10724765c45e25f25aa7bd6d31ab4ec

Download Submit
memory/836-1252-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/836-1285-0x0000000001E60000-0x0000000001E84000-memory.dmp

Filesize
144KB

Download
memory/836-1253-0x0000000001E90000-0x0000000001E94000-memory.dmp

Filesize
16KB

Download
memory/836-1254-0x0000000001E60000-0x0000000001E84000-memory.dmp

Filesize
144KB

Download
memory/836-1284-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1032-1340-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1136-1288-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2144-1112-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/2144-1074-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/2928-847-0x0000000000460000-0x00000000004D5000-memory.dmp

Filesize
468KB

Download
memory/2928-848-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2928-845-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3264-1211-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3564-1159-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4340-1339-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4468-1338-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4588-1191-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4936-1287-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4936-1257-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download