zgrat | b479466f9646b05cdd08d4f85fe30ca3bc1879467ac167eecca72fe58b536a4c

Analysis

max time kernel
208s
max time network
210s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-05-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.html
Size

93KB
MD5

39a33b65aa143858d0dd000fc105dc27
SHA1

ab256505735aa96bc86efe19e6796bb5e45e801c
SHA256

b479466f9646b05cdd08d4f85fe30ca3bc1879467ac167eecca72fe58b536a4c
SHA512

b45e3923ea488cf5f49a8b3310b0620d8e8881aee1a37b1557497650b10deaa14a6fd803e3cff791a5b57a5d86ed0cd94611e4b74376b8c704bd98941d1cb04f
SSDEEP

1536:qiub850ZoTgAJuHnjde83Ml83Mn1CyKxzmFM/HXcc01vvzj3NPnJWKfkH80r8GB5:qi/gAkHnjP1/chx4BU4

Score

10^/10

zgrat discovery rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1580-1384-0x0000000000400000-0x0000000000480000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 6 IoCs

Processes:

Solara X.exeSolara X.exeSolara X.exeSolara X.exeSolara X.exeSolara X.exe

pid	Process
1464	Solara X.exe
6024	Solara X.exe
5824	Solara X.exe
4044	Solara X.exe
5456	Solara X.exe
4912	Solara X.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
216	bitbucket.org
218	bitbucket.org
195	bitbucket.org
196	bitbucket.org
201	bitbucket.org
208	bitbucket.org
209	bitbucket.org
215	bitbucket.org

Suspicious use of SetThreadContext 4 IoCs

Processes:

Solara X.exeSolara X.exeSolara X.exeSolara X.exe

description	pid	Process	procid_target
PID 1464 set thread context of 1580	1464	Solara X.exe	89
PID 4044 set thread context of 5240	4044	Solara X.exe	98
PID 5456 set thread context of 5516	5456	Solara X.exe	112
PID 4912 set thread context of 308	4912	Solara X.exe	116

Drops file in Windows directory 6 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exebrowser_broker.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exebrowser_broker.exeSolara X.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "1606"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mediafire.com\Total = "111"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "132"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mediafire.com\Total = "124"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "751"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "31597"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsTime\url2 = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mediafire.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "422341901"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsTime	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mediafire.com\NumberOfSubdom = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{11D82F88-FF9F-46DC-8E6C-8AD287F296 = "0"	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "233"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\MuiCache	Solara X.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mediafire.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "31496"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount\url5 = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url6 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "602"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe

NTFS ADS 1 IoCs

Processes:

browser_broker.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\S0lara_ByfronBypassV2.0.zip.w3g2uut.partial:Zone.Identifier	browser_broker.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2616	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

MSBuild.exesdiagnhost.exeRegSvcs.exeRegAsm.exe

pid	Process
1580	MSBuild.exe
5848	sdiagnhost.exe
5848	sdiagnhost.exe
5240	RegSvcs.exe
5848	sdiagnhost.exe
5516	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
1104	7zFM.exe

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	Process
2436	MicrosoftEdgeCP.exe
2436	MicrosoftEdgeCP.exe
2436	MicrosoftEdgeCP.exe
2436	MicrosoftEdgeCP.exe
2436	MicrosoftEdgeCP.exe
2436	MicrosoftEdgeCP.exe
2436	MicrosoftEdgeCP.exe
2436	MicrosoftEdgeCP.exe
2436	MicrosoftEdgeCP.exe
2436	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe7zFM.exeMSBuild.exeRegSvcs.exesdiagnhost.exeRegAsm.exeCasPol.exe

description	pid	Process
Token: SeDebugPrivilege	4324	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4324	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4324	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4324	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3884	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3884	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3884	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	772	MicrosoftEdge.exe
Token: SeDebugPrivilege	772	MicrosoftEdge.exe
Token: SeRestorePrivilege	1104	7zFM.exe
Token: 35	1104	7zFM.exe
Token: SeSecurityPrivilege	1104	7zFM.exe
Token: SeDebugPrivilege	1580	MSBuild.exe
Token: SeBackupPrivilege	1580	MSBuild.exe
Token: SeSecurityPrivilege	1580	MSBuild.exe
Token: SeSecurityPrivilege	1580	MSBuild.exe
Token: SeSecurityPrivilege	1580	MSBuild.exe
Token: SeSecurityPrivilege	1580	MSBuild.exe
Token: SeDebugPrivilege	5240	RegSvcs.exe
Token: SeBackupPrivilege	5240	RegSvcs.exe
Token: SeSecurityPrivilege	5240	RegSvcs.exe
Token: SeSecurityPrivilege	5240	RegSvcs.exe
Token: SeSecurityPrivilege	5240	RegSvcs.exe
Token: SeSecurityPrivilege	5240	RegSvcs.exe
Token: SeDebugPrivilege	5848	sdiagnhost.exe
Token: SeDebugPrivilege	5516	RegAsm.exe
Token: SeBackupPrivilege	5516	RegAsm.exe
Token: SeSecurityPrivilege	5516	RegAsm.exe
Token: SeSecurityPrivilege	5516	RegAsm.exe
Token: SeSecurityPrivilege	5516	RegAsm.exe
Token: SeSecurityPrivilege	5516	RegAsm.exe
Token: SeDebugPrivilege	308	CasPol.exe
Token: SeBackupPrivilege	308	CasPol.exe
Token: SeSecurityPrivilege	308	CasPol.exe
Token: SeSecurityPrivilege	308	CasPol.exe
Token: SeSecurityPrivilege	308	CasPol.exe
Token: SeSecurityPrivilege	308	CasPol.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exemsdt.exe

pid	Process
1104	7zFM.exe
1104	7zFM.exe
5200	msdt.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid	Process
772	MicrosoftEdge.exe
2436	MicrosoftEdgeCP.exe
4324	MicrosoftEdgeCP.exe
2436	MicrosoftEdgeCP.exe
1316	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MicrosoftEdgeCP.exeSolara X.exeSolara X.exeSolara X.exeSolara X.exepcwrun.exesdiagnhost.exe

description	pid	Process	procid_target
PID 2436 wrote to memory of 3884	2436	MicrosoftEdgeCP.exe	77
PID 2436 wrote to memory of 3884	2436	MicrosoftEdgeCP.exe	77
PID 2436 wrote to memory of 3884	2436	MicrosoftEdgeCP.exe	77
PID 2436 wrote to memory of 3884	2436	MicrosoftEdgeCP.exe	77
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 2648	2436	MicrosoftEdgeCP.exe	79
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 2436 wrote to memory of 3768	2436	MicrosoftEdgeCP.exe	81
PID 1464 wrote to memory of 1580	1464	Solara X.exe	89
PID 1464 wrote to memory of 1580	1464	Solara X.exe	89
PID 1464 wrote to memory of 1580	1464	Solara X.exe	89
PID 1464 wrote to memory of 1580	1464	Solara X.exe	89
PID 1464 wrote to memory of 1580	1464	Solara X.exe	89
PID 1464 wrote to memory of 1580	1464	Solara X.exe	89
PID 1464 wrote to memory of 1580	1464	Solara X.exe	89
PID 1464 wrote to memory of 1580	1464	Solara X.exe	89
PID 6024 wrote to memory of 2288	6024	Solara X.exe	93
PID 6024 wrote to memory of 2288	6024	Solara X.exe	93
PID 6024 wrote to memory of 2288	6024	Solara X.exe	93
PID 5824 wrote to memory of 4144	5824	Solara X.exe	96
PID 5824 wrote to memory of 4144	5824	Solara X.exe	96
PID 5824 wrote to memory of 4144	5824	Solara X.exe	96
PID 4044 wrote to memory of 5240	4044	Solara X.exe	98
PID 4044 wrote to memory of 5240	4044	Solara X.exe	98
PID 4044 wrote to memory of 5240	4044	Solara X.exe	98
PID 4044 wrote to memory of 5240	4044	Solara X.exe	98
PID 4044 wrote to memory of 5240	4044	Solara X.exe	98
PID 4044 wrote to memory of 5240	4044	Solara X.exe	98
PID 4044 wrote to memory of 5240	4044	Solara X.exe	98
PID 4044 wrote to memory of 5240	4044	Solara X.exe	98
PID 5328 wrote to memory of 5200	5328	pcwrun.exe	101
PID 5328 wrote to memory of 5200	5328	pcwrun.exe	101
PID 5848 wrote to memory of 1424	5848	sdiagnhost.exe	104
PID 5848 wrote to memory of 1424	5848	sdiagnhost.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "C:\Users\Admin\AppData\Local\Temp\file.html"
1⤵
PID:1104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:1512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1316

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5744

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1104

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2616

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2288

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:4144

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5240

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe" ContextMenu
1⤵
- Suspicious use of WriteProcessMemory
PID:5328
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW57F.xml /skip TRUE
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:5200
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe"
    3⤵
    PID:5336
  - - C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe
      "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5456
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5516
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe"
    3⤵
    PID:5700
  - - C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe
      "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\Solara X.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4912
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:308

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vewnv53a\vewnv53a.cmdline"
  2⤵
  PID:1424
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C5.tmp" "c:\Users\Admin\AppData\Local\Temp\vewnv53a\CSCBD1EFE336C564D76AF758B5C6485A8BF.TMP"
    3⤵
    PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f0txulbo\f0txulbo.cmdline"
  2⤵
  PID:3888
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA23.tmp" "c:\Users\Admin\AppData\Local\Temp\f0txulbo\CSC19D7B42DB665429AA08B45395B434A3E.TMP"
    3⤵
    PID:3672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4svuwjip\4svuwjip.cmdline"
  2⤵
  PID:2424
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2702.tmp" "c:\Users\Admin\AppData\Local\Temp\4svuwjip\CSCED5214BAADF245D288EE89674FB3AFA6.TMP"
    3⤵
    PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
ce6287062bdbf9277dfea6d59c3ab3ee

SHA1
4e845ab9dd4ab9828c54cc9ee4dddaca7cf4f190

SHA256
ff72623896d73920c4a56470fc13112f0e08996d0827b009036293181e9e878e

SHA512
7b603015eec603a0ebbf6e073f6861f11b1d2ac2ee50c1b70df54b0714c7896bfdd707138ac6d2574dc54eb1033babc15724f93537aa5ba35111d330ffdb30d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
7636554ef82326e4df8c12dc362afae1

SHA1
7e805e1171ef04f64d1770775aa92a41bf196442

SHA256
a91deb33e928f21580a58b61fe52f2d18ada99e71b9038a2a741b6537b04db30

SHA512
df667fa824da7436aaadf2a7b2623d21348869ac74c4b54b82a6e5f69dd78ac962d782a539c33faf636d1e598b85cee1e48d31329a8f2c7fe522d1837335d99c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B79YV4MX\gtm[1].js

Filesize
279KB

MD5
a4faa1f49ac6bce1f1ce7d413b59d82e

SHA1
b684b4ce1c166031a1d75aad859fac88854232e2

SHA256
9b691c7d890e7de553a8e071b68a50753cb15e35ef65ab29a30488ad0e3116b7

SHA512
3ebc043545750d90ba902a0044f14760c81f403a6ff9dc50f91a65f24695b15e3514c7d0418726345675571a920ee2dbf708918549bb9398e221eed8a75bfdc2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B79YV4MX\js[1].js

Filesize
326KB

MD5
2592d01c270998951d57813b4f503806

SHA1
967b9247f3ce4370da53dfd9e3a0f21685824aa5

SHA256
3df758f935d683b3a64cc75cf1085ad29e0b54586ed412aa5c5ca431679cb8aa

SHA512
6f812a278fe9e74233271de792ba977adff51dbb4d90fe44a54ab2d974968380f5529b67ce76c10c171332f519e5719d4c52ee17f54da35bae3fae3b71cc9c88

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OBSNECGT\analytics[1].js

Filesize
51KB

MD5
575b5480531da4d14e7453e2016fe0bc

SHA1
e5c5f3134fe29e60b591c87ea85951f0aea36ee1

SHA256
de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd

SHA512
174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\XE1E4J7Q\amplitude-8.5.0-min.gz[1].js

Filesize
67KB

MD5
c43d9f000a09bd500ed8728606a09de3

SHA1
36ad6b0fa2c6bcd116fb642f25789fc2d08a68e6

SHA256
2450e5580136f94bda7ccf95e3167b57e15b05b513a430967943a50036fa47a4

SHA512
802af189282aff84b1262a54e59463bdb9b07ec6d1dbf20fa26712b3e19a2212f1a31f2a2d4dd620d7d1313ceff43dc4272f51a7a2407296bf6d57c11e38801b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\XE1E4J7Q\js[1].js

Filesize
190KB

MD5
ef132dd29658acc363aa0dbc30b030b6

SHA1
87212e6595e9c0414567f33cc29b0f82db10b136

SHA256
b18e8b69a358cab708bf88e1f15697c8b0218ff1d36ee62d73a6306c16fd5b58

SHA512
9b34139ab314047d4d9912d92604cdd20da58a0a6dfe8677395df1fa83e198df5a155f1780a430d0465434f4321fd7720f04d6427a203991894c163753bd3d37

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\CCA37P9E\www.mediafire[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\CCA37P9E\www.mediafire[1].xml

Filesize
1KB

MD5
f25fe044c6c73baf84e82d62e2929a44

SHA1
4968ae27e3a739b60c537628c46415f72042ed67

SHA256
186d435eb12ce6866f09e6f19539cfd303eab21e1918cffe09fe604ce685144d

SHA512
1619a291fe9de5ec1e2183da7f2ed626e521794467bcbe42f6bfa4554a2924abaf6f5ca4ca694de168c91f94ec986ff20f8fca126ad9c9af6aa9244a3e26085f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\User\Default\DOMStore\UTWIL3BU\www.bing[1].xml

Filesize
1KB

MD5
ecf932db0f26775550319bfff67d4212

SHA1
4eedc44879ed57676e2e9e7cd6440802f219f799

SHA256
cecba5f8bbd06de674f558ee48e2461454a03aa050ce4f6c11165b7fa8b11246

SHA512
198cd3b2c6e9078240aec8202505392fa3153b1196dbb183679dfc382e11916bc8d026e2b6483567c7e6980c4837a1915ccbc5dde1d193b208bc21035e6e9e37

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\9M9T45F2\03af7a_4ac61866f8434d73a033c314b1f98b2d~mv2[1].png

Filesize
9KB

MD5
a311778b6bc11f2aa697d36d19c0bfb3

SHA1
1e3bc48782d01cfa15b0caf4ad572b8039a89a85

SHA256
f492f1162ee415d7aeb93987c6189d80f59a9c0d9dbf5e4c0ea77a3725715675

SHA512
4b528a61102614d1f76a258d26ab87eec485fd511ed89a0e3273f4d3edc7243aaf2456c02526dd343dc4ca1272239d8270f44fee8330ac1567b1860106f89769

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\GMNU7XNC\favicon[1].ico

Filesize
10KB

MD5
a301c91c118c9e041739ad0c85dfe8c5

SHA1
039962373b35960ef2bb5fbbe3856c0859306bf7

SHA256
cdc78cc8b2994712a041a2a4cb02f488afbab00981771bdd3a8036c2dddf540f

SHA512
3a5a2801e0556c96574d8ab5782fc5eab0be2af7003162da819ac99e0737c8876c0db7b42bb7c149c4f4d9cfe61d2878ff1945017708f5f7254071f342a6880a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\XVE1R4VQ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\wdvqtnv\imagestore.dat

Filesize
29KB

MD5
27ccf59e6ed21ab6c139d36cfcb36163

SHA1
8b7842197fdc11786eefe101eabc02ac33ac4820

SHA256
59c43c13b9ab1671fba6bf130a77b7dc52be0395e1ebdd565a0727bcdaa5bc32

SHA512
47feb3ae717803bba973d983ba94d3cfc2a0b2f678710978fe2966dfb9667b30df097d19b47a6a9d3451f91fcd79b8423d607bcac352fba9d4a20775ed97fa41

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\S0lara_ByfronBypassV2.0.zip.w3g2uut.partial

Filesize
8.9MB

MD5
6228f5ec64b54bdf6e28f50b1fa3b4af

SHA1
fd7265cd9c382840ebccf64272d51e35a0a35fb1

SHA256
c6b02c7dfc2c2fb759ec72f5abe503fc0b57673ddf2bf9c831bb281eb766dd93

SHA512
3698e0a03a3431d37c3446b2b972ed26b2d6d382b15c5141f92fae9f3dbf8937a362c3126365b8d09335e0b71c6e7ce6535ba21449ecb088d6529cc5f1996e93

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SolaraBETA3\workspace\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IP0IIMCI\S0lara_ByfronBypassV2.0[1].zip

Filesize
32KB

MD5
a91657714a663c6bbf88dfd84e5cfc82

SHA1
c14baf10c9b25d752f4d22d8003b68c13dceb86d

SHA256
d53a66ec6afd2e4c5262e704914ebceb0d918ffe640d8a52704858adc79c726a

SHA512
63eab4bf6f8c5e27fef77c89ba141688f30f41c40be6a4dd34f42edf70bdd29b51e4dc39eb15ea14d6add746d4f2736454f4089301c36608bc06a59e23284694

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
a26045c60badc3ea12344117b7bc4403

SHA1
e042d0cb3844ca44869d5e01a2e427144b458556

SHA256
69872c2a3c0bdca24598431943ea06f46d2a28bee615698ae09ba335b1cfa925

SHA512
7b0e7562480066d929e4dce2201ced8be9e7d309d28ada04d7779a9ab232ee4bf5a8ba89317865eb382250f8f529c0c0b95d8eb80cff800e595280f2f395d7bb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
13b1483b36e39bb41a433fabf1d236b3

SHA1
46ef0c2eed621912a70d0b7c94168a32d9a7e422

SHA256
8d729c0a1f4945f8e8924157bde29a5850a08cc9cfa66d59171465dae0f1a707

SHA512
23b8129f466c662fa36d0d927cf5a04957532433a7370f764192a6bb470d9d7bb72b65d6f59bd1eb3b2a816f3f0f64f0429943de22d94fb3005707d28abf64dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCW57F.xml

Filesize
880B

MD5
3616dceb5f38e4586842b5b27235bd2e

SHA1
2da9df4c224f01bf792851b6185a6ac63aa54d28

SHA256
cd13b1c0aa2da0a09fafd690d1d7f33c6dc9396b219411ad7bede533a0644c1e

SHA512
98bd585dfad054ae4a5f1b674685ecb0cdab4e3fcd7e20eae2fb6157f0e5126f17fad15452e4aa0d6a32c4b212fadd48be0f9d983ad257e755cbdee5916ad967

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C5.tmp

Filesize
1KB

MD5
d91683c39a7630b41cb1f0fb98aa70ac

SHA1
6626dac54f0fb5c7f98394175404d913530475cb

SHA256
dc8a1b90f5fcfce7a7211b4bd03e8782bf6c6d5478308e5eb385d085aca60fca

SHA512
0476e9430b73c6c3120991189b4877e0a4ff6fecdd8d9d9d2b72b4ae2f0f14379b874e9a1ead242006efc864b9b842bd295fa3ff6fa9d386532b1d2687a292e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA23.tmp

Filesize
1KB

MD5
cc6b136111a830cad6176b919f1494c5

SHA1
082cf6f7be2fd80b0ca2ddfa4827283be699bf32

SHA256
28634b9c83c830b87472b7d3d94e7e85c2d80999806587649b7011f2885de3e3

SHA512
952131b703d10b3396370bd3293ee31a6ab4ae1b11ed200c65085361f7204ecddbd0cf37097c49d704b16ead8996fef47c82e0007b32876b0c78e8bf17e9bbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yc3fakdb.2dg.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0txulbo\f0txulbo.dll

Filesize
3KB

MD5
6de755c015697f7e2a24edce70ad5bd1

SHA1
9f5113cd2d7b3d993e46c7602cd1acb9ec161505

SHA256
a8f1fef44913822a485cbfb7997128e2a1ea9402d15475347139e218e8693384

SHA512
e88b261b96a7f35fa23bfc004a191636e077eada6f0c6e376f27da9b471d2034d9d62a63d8797bf89fc92289864d93f72a66a5c1a30001f066f09de8c9f9c2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vewnv53a\vewnv53a.dll

Filesize
5KB

MD5
44387d02ea0da0684554204a77773590

SHA1
434dc9b2b8cf7048d8037d96c67f8c3c2f961e08

SHA256
1803c9b837986d83569049eefd5bc1b5cf8344fbd37973a59ed739ad3d1e50a1

SHA512
a44e8d115bd6a037e1a79018b5e8e7e27ee861f425ccbb096c997b1a97d805266561fdc4c7a4bf7b1e9eaf6386137c02c8f15169fc3d747a8c30f699edb68843

Download Submit
C:\Windows\TEMP\SDIAG_a5cf7ceb-a703-436d-b251-c47f64ecd6b2\RS_ProgramCompatibilityWizard.ps1

Filesize
41KB

MD5
a49550a947238f4e23a81f8c765da712

SHA1
0c3daf73301d87c958d7f4f840bf060d87312d8d

SHA256
baf71bcc730ab740670653283eb97a6991af6d52bc82ad83dcc66e9ce9a9dd68

SHA512
3f0cb6e664bd7a998f81b783abaf37dc68ea55360ab021611c2336999b4b61bf6797ba9c427ad93b60c6382cb016c2f8474bc3fce0af85c823583be1d3013f02

Download Submit
C:\Windows\TEMP\SDIAG_a5cf7ceb-a703-436d-b251-c47f64ecd6b2\TS_ProgramCompatibilityWizard.ps1

Filesize
16KB

MD5
2c245de268793272c235165679bf2a22

SHA1
5f31f80468f992b84e491c9ac752f7ac286e3175

SHA256
4a6e9f400c72abc5b00d8b67ea36c06e3bc43ba9468fe748aebd704947ba66a0

SHA512
aaecb935c9b4c27021977f211441ff76c71ba9740035ec439e9477ae707109ca5247ea776e2e65159dcc500b0b4324f3733e1dfb05cef10a39bb11776f74f03c

Download Submit
C:\Windows\TEMP\SDIAG_a5cf7ceb-a703-436d-b251-c47f64ecd6b2\en-US\CL_LocalizationData.psd1

Filesize
6KB

MD5
5202c2aaa0bbfbcbdc51e271e059b066

SHA1
3f6a9ffb0455edc6a7e4170b54def16fd6e09a28

SHA256
7fd5c0595d76d6dec1fcbace5bbcd8ff531d5acf97e53234c0008ff5a89d20e2

SHA512
77500b97fcd6fe985962f8430f97627fedcf5af72d73d5e2b03e130bca1b6b552971b569be5fca5c9ece75ab92c2e4be416d67a0f24d3830d9579e5f96103ac9

Download Submit
C:\Windows\Temp\SDIAG_a5cf7ceb-a703-436d-b251-c47f64ecd6b2\DiagPackage.dll

Filesize
65KB

MD5
e99b38cf7f4a92fc8b1075f5d573049d

SHA1
406004e7acd41b3a10daae89f886ef8b13b27c32

SHA256
812ebb05968818932d82e79422f6fd6c510fd1b14d20634e339c61faeb24b142

SHA512
5637e6e949c24dca3b607b4f8b5745e0bb557e746fc17eff1274af36d52d5d7576723f4cd055fcf8fcf9fd267254e6d7fbb53cc173a15d3dfd3cce2015ac757d

Download Submit
C:\Windows\Temp\SDIAG_a5cf7ceb-a703-436d-b251-c47f64ecd6b2\en-US\DiagPackage.dll.mui

Filesize
11KB

MD5
65e3646b166a1d5ab26f3ac69f3bf020

SHA1
4ef5e7d7e6b3571fc83622ee44102b2c3da937ff

SHA256
96425923a54215ca9cdbe488696be56e67980829913edb8b4c8205db0ba33760

SHA512
a3782bfa3baf4c8151883fe49a184f4b2cba77c215921b6ce334048aee721b5949e8832438a7a0d65df6b3cbd6a8232ab17a7ad293c5e48b04c29683b34ecee2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f0txulbo\CSC19D7B42DB665429AA08B45395B434A3E.TMP

Filesize
652B

MD5
abc3cce62e9c2c6b1917351146a0338f

SHA1
9622e68cc96c81ac835098d85856a002d1f0671f

SHA256
b16ff5e9ffdada07f2d9be42764d341cc233d21548cf6461df03cfae6268c6c8

SHA512
ae04b9f97ae50b4294f7cd065111f90a5c6892dc5fd0e03e8b07cce05e7fd9e7ccaff9f6dac1bb3e7d73475f150223a6f4d85003926b485f00edf338fd5a7402

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f0txulbo\f0txulbo.0.cs

Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f0txulbo\f0txulbo.cmdline

Filesize
356B

MD5
41f9218f7d628f65bb51888f69029d4f

SHA1
3d2c2a265655c55bc8b104eddb29934b2cc4eda3

SHA256
e28b3d512c0e309559b6adeaaf22ce4ef34d57b11627ff148ca9cd62ebb8ded8

SHA512
1ccf6bd6ac69d37486ebccd7aee84bb82a6b42f57dae1e82b3e2a0f1669b44c4a690d7c16451c20b9e4415669dc01c204ca749444cf9f0831e0ee384425ee3e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vewnv53a\CSCBD1EFE336C564D76AF758B5C6485A8BF.TMP

Filesize
652B

MD5
ee04e77118cf90855d8d987763c9ca9b

SHA1
ec75d5de3daf9d95a7c3394ee1f2ea75ba1a8d1e

SHA256
6acb71d1e144ba72d5381866ee141c73d138e8408491752b93fc6b911ea004e1

SHA512
0ede65b673585b26e45f03fb46635590317eb5df5c7bbdfecdd607a49a6c4309d25be5dd0d9e8d012fac9bb2f17c8a646dd18d922e5ec69b31f5aa889198a2b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vewnv53a\vewnv53a.0.cs

Filesize
5KB

MD5
26294ce6366662ebde6319c51362d56c

SHA1
c571c0ffa13e644eed87523cbd445f4afb1983d1

SHA256
685699daafafa281093b5c368c4d92715949fc300b182d234e800e613be5d8dc

SHA512
bc91bb591368bc511ca5169b3c23cd69a163eeb77f0d7a083fe09cc6aa15d7044a24f95811fa1518f44368dffda6d346f44e1568e7a5373a6450a63ae31883ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vewnv53a\vewnv53a.cmdline

Filesize
356B

MD5
24447f292f8a9404e6d5db9c8da037ce

SHA1
031f44bbf8aeb32933776a43a39178f8c6ecb8ed

SHA256
f56a3167991188bf86eea7f23c8dd9f43cbb6457c070d6d5edadb084b70d4038

SHA512
2fbea6a13c9745b419945bfe29980f9422de99143b7826d518b0c58c59ecfbd1d80d529519517aa0ab58fa381f43af10781f1ef37b619ea213aacc2dc521834b

Download Submit
memory/772-0-0x0000022D7FC20000-0x0000022D7FC30000-memory.dmp

Filesize
64KB

Download
memory/772-16-0x0000022D7FD20000-0x0000022D7FD30000-memory.dmp

Filesize
64KB

Download
memory/772-35-0x0000022D042C0000-0x0000022D042C2000-memory.dmp

Filesize
8KB

Download
memory/1316-374-0x000001A7CC0D0000-0x000001A7CC0F0000-memory.dmp

Filesize
128KB

Download
memory/1316-369-0x000001A7CBCE0000-0x000001A7CBD00000-memory.dmp

Filesize
128KB

Download
memory/1316-319-0x000001A7BB500000-0x000001A7BB600000-memory.dmp

Filesize
1024KB

Download
memory/1580-1392-0x0000000008B90000-0x0000000008BDB000-memory.dmp

Filesize
300KB

Download
memory/1580-1385-0x0000000005EB0000-0x00000000063AE000-memory.dmp

Filesize
5.0MB

Download
memory/1580-1386-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/1580-1387-0x00000000059F0000-0x00000000059FA000-memory.dmp

Filesize
40KB

Download
memory/1580-1388-0x0000000008F00000-0x0000000009506000-memory.dmp

Filesize
6.0MB

Download
memory/1580-1389-0x0000000008A80000-0x0000000008B8A000-memory.dmp

Filesize
1.0MB

Download
memory/1580-1390-0x00000000089C0000-0x00000000089D2000-memory.dmp

Filesize
72KB

Download
memory/1580-1391-0x0000000008A20000-0x0000000008A5E000-memory.dmp

Filesize
248KB

Download
memory/1580-1384-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1580-1393-0x0000000008D20000-0x0000000008D86000-memory.dmp

Filesize
408KB

Download
memory/1580-1394-0x0000000009690000-0x0000000009706000-memory.dmp

Filesize
472KB

Download
memory/1580-1395-0x0000000008ED0000-0x0000000008EEE000-memory.dmp

Filesize
120KB

Download
memory/1580-1396-0x0000000009FA0000-0x000000000A162000-memory.dmp

Filesize
1.8MB

Download
memory/1580-1397-0x000000000A6A0000-0x000000000ABCC000-memory.dmp

Filesize
5.2MB

Download
memory/2648-527-0x000001C049C00000-0x000001C049D00000-memory.dmp

Filesize
1024KB

Download
memory/2648-542-0x000001C85CDD0000-0x000001C85CDD2000-memory.dmp

Filesize
8KB

Download
memory/2648-540-0x000001C85CDB0000-0x000001C85CDB3000-memory.dmp

Filesize
12KB

Download
memory/3884-59-0x000001D032070000-0x000001D032072000-memory.dmp

Filesize
8KB

Download
memory/3884-282-0x000001D031E00000-0x000001D031E10000-memory.dmp

Filesize
64KB

Download
memory/3884-53-0x000001D031CF0000-0x000001D031CF2000-memory.dmp

Filesize
8KB

Download
memory/3884-295-0x000001D031E00000-0x000001D031E10000-memory.dmp

Filesize
64KB

Download
memory/3884-285-0x000001D031E00000-0x000001D031E10000-memory.dmp

Filesize
64KB

Download
memory/3884-50-0x000001D021A40000-0x000001D021B40000-memory.dmp

Filesize
1024KB

Download
memory/3884-61-0x000001D032590000-0x000001D032592000-memory.dmp

Filesize
8KB

Download
memory/3884-237-0x000001D033480000-0x000001D0334A0000-memory.dmp

Filesize
128KB

Download
memory/3884-274-0x000001D034300000-0x000001D034400000-memory.dmp

Filesize
1024KB

Download
memory/3884-273-0x000001D032CA0000-0x000001D032CC0000-memory.dmp

Filesize
128KB

Download
memory/3884-281-0x000001D031E00000-0x000001D031E10000-memory.dmp

Filesize
64KB

Download
memory/3884-56-0x000001D031F40000-0x000001D031F42000-memory.dmp

Filesize
8KB

Download
memory/3884-283-0x000001D031E00000-0x000001D031E10000-memory.dmp

Filesize
64KB

Download
memory/3884-284-0x000001D031E00000-0x000001D031E10000-memory.dmp

Filesize
64KB

Download
memory/4324-44-0x0000020FFAF00000-0x0000020FFB000000-memory.dmp

Filesize
1024KB

Download
memory/4324-43-0x0000020FFAF00000-0x0000020FFB000000-memory.dmp

Filesize
1024KB

Download
memory/5240-1408-0x0000000007F20000-0x0000000007F6B000-memory.dmp

Filesize
300KB

Download
memory/5848-1577-0x000001B4FCC10000-0x000001B4FCC18000-memory.dmp

Filesize
32KB

Download
memory/5848-1546-0x000001B4FCCD0000-0x000001B4FCD46000-memory.dmp

Filesize
472KB

Download
memory/5848-1543-0x000001B4FCC20000-0x000001B4FCC42000-memory.dmp

Filesize
136KB

Download
memory/5848-1591-0x000001B4FCC50000-0x000001B4FCC58000-memory.dmp

Filesize
32KB

Download
memory/5848-1618-0x000001B4FD0E0000-0x000001B4FD0E8000-memory.dmp

Filesize
32KB

Download