zgrat | hxxps://ryosx[.]cc/

Resubmissions

12-05-2024 14:59

240512-scrlfsbd7s 10

Analysis

max time kernel
375s
max time network
381s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
12-05-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ryosx.cc/

Score

10^/10

zgrat rat spyware

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/3664-991-0x0000000000400000-0x0000000000480000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 3 IoCs

pid	Process
1828	Solara X.exe
4128	Solara X.exe
4552	Solara X.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
112	bitbucket.org
46	bitbucket.org
109	bitbucket.org
111	bitbucket.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4552 set thread context of 3664	4552	Solara X.exe	123

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2994005945-4089876968-1367784197-1000\{7C024FEB-FD8F-4A22-AED2-01E7771ACD67}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1716	msedge.exe
1716	msedge.exe
1604	msedge.exe
1604	msedge.exe
1020	msedge.exe
1020	msedge.exe
2148	identity_helper.exe
2148	identity_helper.exe
3920	msedge.exe
3920	msedge.exe
3244	msedge.exe
5100	msedge.exe
5100	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
3664	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2768	7zG.exe
Token: 35	2768	7zG.exe
Token: SeSecurityPrivilege	2768	7zG.exe
Token: SeSecurityPrivilege	2768	7zG.exe
Token: SeRestorePrivilege	2976	7zG.exe
Token: 35	2976	7zG.exe
Token: SeSecurityPrivilege	2976	7zG.exe
Token: SeSecurityPrivilege	2976	7zG.exe
Token: SeDebugPrivilege	3664	MSBuild.exe
Token: SeBackupPrivilege	3664	MSBuild.exe
Token: SeSecurityPrivilege	3664	MSBuild.exe
Token: SeSecurityPrivilege	3664	MSBuild.exe
Token: SeSecurityPrivilege	3664	MSBuild.exe
Token: SeSecurityPrivilege	3664	MSBuild.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
2768	7zG.exe
2976	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 3704	1604	msedge.exe	81
PID 1604 wrote to memory of 3704	1604	msedge.exe	81
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 4176	1604	msedge.exe	82
PID 1604 wrote to memory of 1716	1604	msedge.exe	83
PID 1604 wrote to memory of 1716	1604	msedge.exe	83
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84
PID 1604 wrote to memory of 3560	1604	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ryosx.cc/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc25de3cb8,0x7ffc25de3cc8,0x7ffc25de3cd8
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7196 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1356 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1462438900304306235,17377272834011349287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7408 /prefetch:1
  2⤵
  PID:5100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3108

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0\" -spe -an -ai#7zMap3868:108:7zEvent26090
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0\SolaraV2\" -spe -an -ai#7zMap15645:126:7zEvent8301
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2976

C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0\SolaraV2\SolaraBETA3\Solara X.exe
"C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0\SolaraV2\SolaraBETA3\Solara X.exe"
1⤵
- Executes dropped EXE
PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1596

C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0\SolaraV2\SolaraBETA3\Solara X.exe
"C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0\SolaraV2\SolaraBETA3\Solara X.exe"
1⤵
- Executes dropped EXE
PID:4128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2868

C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0\SolaraV2\SolaraBETA3\Solara X.exe
"C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0\SolaraV2\SolaraBETA3\Solara X.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
ce6287062bdbf9277dfea6d59c3ab3ee

SHA1
4e845ab9dd4ab9828c54cc9ee4dddaca7cf4f190

SHA256
ff72623896d73920c4a56470fc13112f0e08996d0827b009036293181e9e878e

SHA512
7b603015eec603a0ebbf6e073f6861f11b1d2ac2ee50c1b70df54b0714c7896bfdd707138ac6d2574dc54eb1033babc15724f93537aa5ba35111d330ffdb30d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
f1c4bbc0c7ae17f6a15f4d78e28ec83c

SHA1
950195582d90789078bca223c114c605ffb18c48

SHA256
3247a2daad180f843d0dda5734bc1cb4897e18886c00bf3cb2998460baff3f59

SHA512
254923fa5e604622aea0d80000d5a79c8c3ac9b57286c248d34c8a1f12e13abd3dc75eb3225f6d1edc935afefa3c6d7eca40db29c06781bbf03630e07bd0de4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e027def9b55f3d49cde9fb82beba238

SHA1
64baabd8454c210162cbc3a90d6a2daaf87d856a

SHA256
9816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83

SHA512
a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c5042350ee7871ccbfdc856bde96f3f

SHA1
90222f176bc96ec17d1bdad2d31bc994c000900c

SHA256
b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b

SHA512
2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
86KB

MD5
862b6033dc6723bda6b54609820b9b3f

SHA1
64881c76d084f2ff93cefdc4e0d829b03861f696

SHA256
decf0a34519cf25f9e3f2e3fd6c15a5e52f4f550541a151121e9a5bee5d9220b

SHA512
695c1d1e1a682851b5a3eb52e8be1563a5d2a26d7925db8fd8aec8b0eab0ffa1cdeb18c4c4abb0660c71a3cbd6939d04ebe5fbe47a27a69c52d4151520d520bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
49KB

MD5
20980bab135f476d48a3f69148762f28

SHA1
75394cf4059ccf01a554278c554a5610dcb9b73e

SHA256
e4219e58333dbb133997b1fa9b51e906b464190beb8d206f0f39f1db909f95f4

SHA512
ab291427fb1da8b8e6b47018d18de6b9267bceec59fea507cae5c43203e4099530e3a17a12d6840a231f9f5b3539dcf5a480573d61ddea14450dd48ba4caaf6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5e0e95023ae4ec4b2264e52303a1fd0a

SHA1
123e2c61eef46ae0e4a9217f101c4e770f857b16

SHA256
1797c0f83671c66c1938d8abb2198fd924c77abe63fb2cd273f35ed5fea55229

SHA512
9586b359b022a67430b11de566154ab838d4b17bc4b61fa65dcb78f42d7e241e073386e4eb44897bd9156355b25c4b7f546671fc06820f98adadf037d479057e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1b0bc0e1e743cebe4642fda8dcce1169

SHA1
8c65ba2ef66807fc1aff2fd6d963c57a4f109331

SHA256
613b8db7643ea179891fccb6cd75989a1fa80360b1c98fabaf7af15e3e57260d

SHA512
7071fae3f70c41efa94ff0bc8fc21ff24ec43051ee5355a31b5e61ca7c2a66b1341402a3a80214ffcf5558c83c07369b3537c651ae9fef9535b1ae67f0eaf2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d2e2950fe374327d04e56e5ac9f49a4e

SHA1
9981e53aa9383127c901920e9324e17a5b84c600

SHA256
b107962c6b3870c9ec8e8c63ff1175c2d152239f0c6e6ddf48c60cc68009d90e

SHA512
d84e6161564cbb20b001f9bf7fa3e407a0cf5e3a1f86ad24e92b103ffa5d024c7464d0eb05e7e8a04831dc164d4b32c3c0f893b6e88428af2d8a11f02b0f722f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
fc67c20fe392ca7bcd7efbe56883b7c4

SHA1
e349a2bfb10562ff7924bed94452882964c5c784

SHA256
48f401f79808c14233ddda3e40639263c8b1fcb15eedf687d505c9cf055ab675

SHA512
4d38b8b85f29f31c8f2a7567d341fd1dae8de596ee4693249cf1735333a63136b60b23189345356bf8f76159a49d23ca3a717588014c0a8468c8452f6fbdfe6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
46KB

MD5
ce29890bb13bbe585106c497276a9e7b

SHA1
16fe1a17c26173726047a672e12c00573814d31d

SHA256
1beb2b12f1225bffa7e0cf85356adff45558c47f0a046b96671771b57c3196cc

SHA512
d16ac4b9064ad757b962c94d6221d594a103adafa747657082b658e05cdf5b72d30aa567014e8d76af8412a25f8d23f5ca14a99aec7884a6529b45f74a01c101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
de559d402a5ca67cab5c7e6615a6d190

SHA1
6c588b61ff441e18df4f82fabe4a9d2a49b6f7e6

SHA256
ec27ed2b5ceacd8e8606bcf46ae93beca11e5fd9f0f2b77e14981d7b35502a38

SHA512
19b04c48acd70225df669c797dd02e3a4c0d128235dfb39861cf8b8094fcb44baae62c9d14ee344f160e1054d689230fe4a7c96439d71bec26910fe7496b12b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d1e9dd08ae50fb7156237fc4d6b1c6f

SHA1
16d930f62e13fc51886e953d7568fe29802b6cf9

SHA256
16979a2a2deb5e9552b6a596e61103e74831f2a4b356944ea406f95e2a489ef2

SHA512
e7773f6937d9cbf966def8aea27d9ddfaf67d6a3425428067a06d178cf652fb6a96f92dc22340ddf45169676871800451a8a074de0ace3c27aa0ce5589b57d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d46bbfa5824779456f7500348f14c83b

SHA1
1765684ec34648197dc32e87468288836d317c33

SHA256
2af24bbb44ecf3f142251ad4ba03215dcf986d920914e30739a921b4c53a79f8

SHA512
601fbc1b2b82df80d83be5563de05046e253caf5519b4de11de2e7f64919ad474fe0c02d48998a80cf51eb0123ce513acf5340ba82a4c14ddf08eb7f29e7c032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
08032259f8d037132c7b56b5468c478c

SHA1
9ed8368da74f7195f7d350ccd7ad7df0c6111dbf

SHA256
18b6318aa8426a9620f3b5eddb1e5f5a0be1e5e32f0038f330af560cd0598fa2

SHA512
76e0cc1db08f46601d5a2046251aba616467ea4a6475d249991ce15bbe08d8da96f74420bb4f6342cd58db02e55f75ec24902a96c9723191fa902130770db48c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cd5c37d42471bcf47af37d73515e3e23

SHA1
21f7729d3f7b04221d783acd8425c024a3cfc2ab

SHA256
95ec0f3617f6f058c5199b58787514791752438f3f3b77f875a29bacac90499f

SHA512
ed57c4ab0bebdaac4d74cebee01e716e1d83904521fe68fdb8e8f20aa11da418b2ac77842054eb05bc801f98d2062fdd053eb2ff64f4f1fe9d8c6299cd003b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8693865de827aea4c6289829f6ba18f7

SHA1
94196a127ad1f4a26b16c5a902215c5c7a79b8ae

SHA256
11c54fb3cba6e8ce51d5c991560da9574a19455941300115cccf726fc531982f

SHA512
f881abfd4379f38fc8f3de79be6e524bc3fdc9a23ff45b0d0fba1ca7190732f046a0ad4e9a4b47d05d2229dad1479ea5ec605c1f7d3dff2f09ace0554cb1ad84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
670f201a72736782af076ac913301d4f

SHA1
0b1141acd2b55a1f892ef1e62f3fd34eedeec7e9

SHA256
f4fd9e99e0b935d19251daf73d375b1ff4382abf5c80520faecc57b3b5df5c7f

SHA512
2f6b588d6a9fa05d457947d95beb479d73fb9ad20d4914b019902763a3fd4db1138cf351cee1375464ddd294fe80ae3fa17456a0176fafa506d6681d1fbc7588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c7ee639faa4ce2dcde264cd8f76cf501

SHA1
267c28f052d3ad463ce85aeaf811e41a0119759f

SHA256
e2c3001ff61fab621219f8d0c3066f0008f3932aceb9b27c4d8e25887613b184

SHA512
5f18af876543ad6fbfbb71f5843ab9f7ac012f7de5e4c40ab21da60df198764a2ff236b02320fb4da4a2ed938affd06f7ebca6b0c78da6c6f4ac3233a308f805

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1fe7d229c6956776d28f2cd70e05295d

SHA1
9f529f8b1e19f0c6331806f8049b37c1cc2c08e5

SHA256
3545e2cb74643e8b96a69952100946e77f579a14d28f490d6a4acfd81a3124fb

SHA512
9687412658f0bf2e32954c303d76490e5a2d7fa4a88dc80c2d0966b7e35bc3ac7adf4c36aeed41f74128cbd830b7ba9243c1cd3d57baec273b129894037aede1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0ae43d0ae537c22695b269711999c282

SHA1
94bd271acfaed5908eebedb8e5adc0783d599026

SHA256
d4de8868bcd849b06bf5c692eb4b24e39af4593919bde768d42d8b77817910ea

SHA512
ea787e47d56ba5fc57484fc5adda2ed552eb1d0ceb812f97e8d5822c1c71aafc3f359f401f04dd9912c8ad935e24de2002d0b03dd5ff74e454942145278f4d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1745a5d1faeb8677968b64aa7f148b47

SHA1
4ab53fa90e8cbaca83488f65a51f3732555cb2a1

SHA256
f5559a8b39097278ceff80ff73839803759ded705e8cab241367923d427ebf56

SHA512
14472e5ab9fd93275ceadecd38aec6ce69e3d26bb69101a40c0655cd8e4f9c012aa45014cc83e2365053ebd07af908f592b13a2c43b61704106c81e8a88991ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1b97595e0c205db3ef4d06846fd1d667

SHA1
18fc05e4e9c2a7aefd85a83793fa9d36b500f4ad

SHA256
763ec0c29e6a2bef1a4ba223881b71e7e2af66e5a98c24e4b5e61d40ac4d1d9c

SHA512
c0a56d13962084f366c5c0f8a0b94162cb8e610582576614cab230835551f93bf7333ea98fd1fe9cb9cef717912d29a2100c5e63f319f5f7b1626dbe3e1e8a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4b19e5115f91bdf7c815426a74e81809

SHA1
198749ca9ca33ea56cdf0c2d62142bd8ff8d4a9b

SHA256
957034c6f18e7c9defa43aa1a0207eafb1a9569cee193626ef951ef1048b0ec6

SHA512
b5575af25acf683e4bb71a960614cffa0cf0d3fc24ee41f8b1291a7407cd6512d4d67e17041c0b4ba8a404abf60daaaab04d53c1bdca798243ae8fd4dd7889df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d6ea73b3c62fff77a5328aade6aceeaa

SHA1
ccec8efcc36558e7b70857387cda75d3da6a5b0e

SHA256
f2e5e2701d3de4a018238bf27964724c0e1f079b2bcd0e7f491b52fdb42c2247

SHA512
14c3a60c1f94fda3a6995412fdc0de7071f125cf519d544f5f9d0c2305bd138cfe7714754ac6abee98f0be7da4e9b93161babbd920675686e5b750362ea7fa2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0bb1d1ea0f62094a64c5672fa35fe45f

SHA1
c4cf263b970808add6c403f39088df2a77218ef5

SHA256
ac67d45745bb1654cf634c9c747ab2ac5fdc0cc68c73d595923646f3cbfb5154

SHA512
9a0a6e4612b4d75b9f251bd2aa100a03cada8638ef2ad1676bd4a3165a9b5c6cb0fc3bfcbcfee96af692388397998c7ef19cc0178c9d087f09f96dbee4946163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9b3f6f976f1d97c6818639306ee6d6e4

SHA1
c24cea0c87c89c9de7b3a9a8617a439c2a0e0a1b

SHA256
105be19bbc36d93d376b2f8d400233bdb543f196b86cca79bb27f3f3863df58f

SHA512
ea011119347c59831523df2a80f65c2b239b49258c2c25089562dd9d26ffd1dbf2b02911a138a9402c2eb5703804d57c4ad045040cd8e961e6adaa76daf7cc24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
124fcd59872ee943c77707de6261992d

SHA1
d359e0cfa562698ccb9be333a8b3424408a1e020

SHA256
f606f63eb855417553eb888566ffe6be5e330ebdfb7ceefb0686cddf1e0f4a72

SHA512
4839978cc28c0bdf73452a9fc9d43af427fb138a9826bc10ae175cda0b74a7b5a204e3dd85b82b1a2322a1abae77a0dc0dfe12f33e56fa2a42dde4a0a4166bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
87650f9914a396a59bd5af54af82c302

SHA1
554ded2e00eb7f7fc3f1b21db3ecb518a96ae4ff

SHA256
10d8cbcb8b38c13d2fdb47e8d309e58da7f0c65bb78f9310f4f8ae00bc4309d2

SHA512
789289975fdf40d54a24d023397ca75a1527fa6ec334b7748707699f36a8cdcf71795c690c654976da8725633f35102cad1df254414a130789ece48f97f4c904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
de1f85547b9a11e4c3e5f4e28dd44f63

SHA1
56e759f017833a41027bfcaf328e611b5fa8478d

SHA256
8c9c000c9bc79e085bf601cee2319fa4ca0f84717c5c56988aa254977095ba2f

SHA512
f0c0f52432676c5abd3ebc573fe5b2f2c0af0c66f9e5b961d9c0fff7cabe09062fc67a25acaa786a3a66fca2dc997e752db94be5909b6a07fc4a8894d7a33e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fbaac125791570edbf9a88dca9b6e1ea

SHA1
e8726d567bdb782e462508f4ed70d19080fa51fc

SHA256
8fd313fa76a0d001e521ac27ba05c606795ee7d46c495aa9646d0a225ad8d110

SHA512
d2a84879f2fb79604b1d3d8bd5ee3bb2382f47b50312ed8597514b61df79fad61dde7caf978a2bd4310f9990ecea44bb4bc3f28c76915ed254404ec788f2db4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5850e904952590961c52b25d56ed7fe8

SHA1
36b36dc43d6a76067e6f51580e8459d837784557

SHA256
5db707474c1a7029a94908dac4da5fd54f01036c0c05aa28ce6473485439b4d6

SHA512
31184fe5455a710d9a6e5111aad447fa8178d9bc1be5564edfe353f0f4addc264a62efbcdab1e190ad4a78436f62190c6767e205c167f06351f2f4ae30e1cab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b1d4e5afd8c650e57c588ddd8afddb10

SHA1
3c7c3aaf281473b207677d0e201da123da8d94af

SHA256
b64637dc37f2ff698767260d71c9c426091be247cff02f16c603625110c92d40

SHA512
dcbe531abfe73e178e2ad12258eb2473a9ee0e406479f979ed468017b759d7a444007c6a09509ead0ff779bb1e9392b781a93202b4a96e4a0ddf922fd89d7d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
be1b7528cc7c99fe6360943fa24b7e96

SHA1
722e2d5665a33d50ef8d03077f384cc6e00ecfdf

SHA256
6a6e4a564d251d1d9c6e75697c3df152f5326aeb2e6b57d4d16decb72a59ebe8

SHA512
74d7d295c69899d79e816542678ae534cbd46612680401de276d6fbc0ec7554d78559742a5754f3b7b8748860025b788bfa9ee988eb9a26d67eed2afdcfd0fa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c3fe310fe47caa86be57d9a2551607f5

SHA1
dad2744a0c4f25db041647a45f3159bd590ee3cb

SHA256
6e845b1f19a3a15a2dbd85671f71a84baf344fdf9d3455f5c9491e60452851fb

SHA512
8b368a43be3f245197a2dee66abd1e9ad3f89527c993eaa4eba17b75fb0c7599bac4c6c9ce08acb996fd48f58f15e813b86423ed6da55d0e96786b3f5a384a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8b46a4d80359cbc4229b877b7cd6b346

SHA1
f0eae5b479889fdeab8de804c70197cc10a29ec6

SHA256
3578b15216591b173054409a3a0ec98cb3925dceb873314dbf992dae9bf0850e

SHA512
b49ba130a7cee0511fe7ac281a4512d24504c9f8532a054bad12e458dbf2a85803780e30d76535a4ce484ff536a993fc731fcfa9ab91cb190b2b7544a35c580f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cd33.TMP

Filesize
873B

MD5
1288d5cc0fc979113b634fd269f80470

SHA1
339629e4ff44d5f05143cb11cc17653909866fd7

SHA256
7873661ec1604be1e7e117b57d222503d186f679561633e51256615a595503fe

SHA512
1f5c792b1074cfc8c71737f2ca90c6ea7321443d61fc49c8ff408e1df63872a0f5f08695d09903b28222e11a50a9baa893172366d8cd583571e43706e72817f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
1dcc262e7d2ca0a73280a969013a21f5

SHA1
8c83bd025a791a269272d8f9061d5cedf3ada24a

SHA256
18841508c44dff896a73ff194928ad632bcecfa9ed0fee8e9c6e8012620e3f13

SHA512
3839fe150b1bbb4a9ac18918441bc29c3dccce1b10765a5e064d13217f57b9bbc82bc15f5fa0785c7b78cb2c8ca25851d34c53b11682abd55bd15bbd8e5cd331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c8447ea9e0bd0e80d3897ff7a7efbe9b

SHA1
56bf62c4a379ed62296b4a2c83592c0be1dea9d8

SHA256
5a2fd5e68438aef5e736e90e063082be51f0dc3b9992ccb63608f7601ccee797

SHA512
0f7ebcbfc134c934517bf2e97490e1a2faed6e68571500495e46c89d33e7a0b95782c8a24689e5f71ad1369f2478813b3754135af559a8502e3e5d30c05e6d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e1d7afb2df9246f9d7fee86e3df1ef7b

SHA1
dcb328570dfafe6c3c7a9d50b904f9b551a7b56b

SHA256
c2cd33e3145a9c8b49b7720f3abcff80e4bc302fa1667bb56b38d995e57f5564

SHA512
dd0a537690346c9ee993e1a2e91423a089aba3bfd9ac508f18c4c430ca76582221b13eec0d21ab0a5b34208071e260b5ebc5d66d3471e9d716be6f1799405e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3a720af74be6da5933ca3096dc40a231

SHA1
10bdc8eb18b4c730704315742a8417fb743a2bb6

SHA256
468410aa979c4c203a3aca51fa511b8415300e5cd29a428a00817e0db911d99f

SHA512
25bfea5889115928bba201d578861189faa949bec2d730024050d8b8773dd35836886e6d405bb0d15cd96f696ecd362a3b32d4701dc96398b8adfb9e4eebf0d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0.zip

Filesize
8.9MB

MD5
6228f5ec64b54bdf6e28f50b1fa3b4af

SHA1
fd7265cd9c382840ebccf64272d51e35a0a35fb1

SHA256
c6b02c7dfc2c2fb759ec72f5abe503fc0b57673ddf2bf9c831bb281eb766dd93

SHA512
3698e0a03a3431d37c3446b2b972ed26b2d6d382b15c5141f92fae9f3dbf8937a362c3126365b8d09335e0b71c6e7ce6535ba21449ecb088d6529cc5f1996e93

Download Submit
C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0\SolaraV2.rar

Filesize
8.9MB

MD5
7a87b44e8e2fb91231b856dcdf6ca3a2

SHA1
f6064e56ed6fdb7824959425e7309e85df20ca62

SHA256
86b18261ecfac3e91947e72cf4e90546b066736a454fa6c047f13fd9ed65f412

SHA512
9d439735ef674f2da6a17473b0ef7db5f314f0b83083e67df6366712acc5c01d15ec4089f286548f7ccdeb7059f7a00c193213b61ed595099c7b1688b8eb9a02

Download Submit
C:\Users\Admin\Downloads\S0lara_ByfronBypassV2.0\SolaraV2\SolaraBETA3\workspace\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
memory/3664-995-0x0000000008CE0000-0x00000000092F8000-memory.dmp

Filesize
6.1MB

Download
memory/3664-997-0x0000000008760000-0x0000000008772000-memory.dmp

Filesize
72KB

Download
memory/3664-998-0x00000000087C0000-0x00000000087FC000-memory.dmp

Filesize
240KB

Download
memory/3664-999-0x0000000008930000-0x000000000897C000-memory.dmp

Filesize
304KB

Download
memory/3664-1002-0x0000000006900000-0x0000000006966000-memory.dmp

Filesize
408KB

Download
memory/3664-1003-0x0000000008A40000-0x0000000008AB6000-memory.dmp

Filesize
472KB

Download
memory/3664-1004-0x00000000089E0000-0x00000000089FE000-memory.dmp

Filesize
120KB

Download
memory/3664-1005-0x0000000009970000-0x0000000009B32000-memory.dmp

Filesize
1.8MB

Download
memory/3664-1006-0x000000000A070000-0x000000000A59C000-memory.dmp

Filesize
5.2MB

Download
memory/3664-996-0x0000000008820000-0x000000000892A000-memory.dmp

Filesize
1.0MB

Download
memory/3664-994-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/3664-993-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/3664-992-0x0000000005CA0000-0x0000000006246000-memory.dmp

Filesize
5.6MB

Download
memory/3664-991-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download