xworm | 188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed

Analysis

max time kernel
1797s
max time network
1797s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X.exe
Size

82KB
MD5

b201ce5dcb58284da7a5ef6294418e56
SHA1

27573051f80debfd74e1a72d27cfd29f58c76d7e
SHA256

188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed
SHA512

f282f9efa40ce5e753faf803079af9aae478711e6e2f3dcf09c744ae3e670c6ef0cb18b62c8e57ba825faef8c396dd481768ef0680681d4b1b80ad1c3433f11c
SSDEEP

1536:D2wgD0/WhgBpRCn3wtSD+bQ6QqTMj34Al6G4tIzOasNnP6UO:ywkeWQCn1+bQdjrytuOa6Sz

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:36623

fax-scenarios.gl.at.ply.gg:36623

Attributes

Install_directory
%AppData%
install_file
SolaraX.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3944-1-0x00000000000D0000-0x00000000000EA000-memory.dmp	family_xworm
behavioral1/files/0x000700000001e9f8-59.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1832	powershell.exe
2592	powershell.exe
5080	powershell.exe
4572	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	X.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SolaraX.lnk	X.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SolaraX.lnk	X.exe

Executes dropped EXE 29 IoCs

pid	Process
984	SolaraX.exe
5516	SolaraX.exe
5968	SolaraX.exe
1968	SolaraX.exe
5460	SolaraX.exe
5684	SolaraX.exe
5400	SolaraX.exe
5300	SolaraX.exe
5816	SolaraX.exe
4344	SolaraX.exe
5288	SolaraX.exe
5764	SolaraX.exe
5968	SolaraX.exe
5492	SolaraX.exe
4464	SolaraX.exe
1684	SolaraX.exe
5592	SolaraX.exe
6084	SolaraX.exe
4280	SolaraX.exe
3796	SolaraX.exe
6080	SolaraX.exe
6120	SolaraX.exe
5600	SolaraX.exe
6072	SolaraX.exe
3336	SolaraX.exe
872	SolaraX.exe
6092	SolaraX.exe
2116	SolaraX.exe
560	SolaraX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SolaraX = "C:\\Users\\Admin\\AppData\\Roaming\\SolaraX.exe"	X.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
5080	powershell.exe
5080	powershell.exe
5080	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
1832	powershell.exe
1832	powershell.exe
2592	powershell.exe
2592	powershell.exe
3944	X.exe
3432	msedge.exe
3432	msedge.exe
3852	msedge.exe
3852	msedge.exe
1136	identity_helper.exe
1136	identity_helper.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	X.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	3944	X.exe
Token: SeDebugPrivilege	984	SolaraX.exe
Token: 33	212	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	212	AUDIODG.EXE
Token: SeDebugPrivilege	5516	SolaraX.exe
Token: SeDebugPrivilege	5968	SolaraX.exe
Token: SeDebugPrivilege	1968	SolaraX.exe
Token: SeDebugPrivilege	5460	SolaraX.exe
Token: SeDebugPrivilege	5684	SolaraX.exe
Token: SeDebugPrivilege	5400	SolaraX.exe
Token: SeDebugPrivilege	5300	SolaraX.exe
Token: SeDebugPrivilege	5816	SolaraX.exe
Token: SeDebugPrivilege	4344	SolaraX.exe
Token: SeDebugPrivilege	5288	SolaraX.exe
Token: SeDebugPrivilege	5764	SolaraX.exe
Token: SeDebugPrivilege	5968	SolaraX.exe
Token: SeDebugPrivilege	5492	SolaraX.exe
Token: SeDebugPrivilege	4464	SolaraX.exe
Token: SeDebugPrivilege	1684	SolaraX.exe
Token: SeDebugPrivilege	5592	SolaraX.exe
Token: SeDebugPrivilege	6084	SolaraX.exe
Token: SeDebugPrivilege	4280	SolaraX.exe
Token: SeDebugPrivilege	3796	SolaraX.exe
Token: SeDebugPrivilege	6080	SolaraX.exe
Token: SeDebugPrivilege	6120	SolaraX.exe
Token: SeDebugPrivilege	5600	SolaraX.exe
Token: SeDebugPrivilege	6072	SolaraX.exe
Token: SeDebugPrivilege	3336	SolaraX.exe
Token: SeDebugPrivilege	872	SolaraX.exe
Token: SeDebugPrivilege	6092	SolaraX.exe
Token: SeDebugPrivilege	2116	SolaraX.exe
Token: SeDebugPrivilege	560	SolaraX.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3944	X.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 5080	3944	X.exe	96
PID 3944 wrote to memory of 5080	3944	X.exe	96
PID 3944 wrote to memory of 4572	3944	X.exe	98
PID 3944 wrote to memory of 4572	3944	X.exe	98
PID 3944 wrote to memory of 1832	3944	X.exe	100
PID 3944 wrote to memory of 1832	3944	X.exe	100
PID 3944 wrote to memory of 2592	3944	X.exe	102
PID 3944 wrote to memory of 2592	3944	X.exe	102
PID 3944 wrote to memory of 4604	3944	X.exe	106
PID 3944 wrote to memory of 4604	3944	X.exe	106
PID 3944 wrote to memory of 3852	3944	X.exe	123
PID 3944 wrote to memory of 3852	3944	X.exe	123
PID 3852 wrote to memory of 3884	3852	msedge.exe	124
PID 3852 wrote to memory of 3884	3852	msedge.exe	124
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 4348	3852	msedge.exe	125
PID 3852 wrote to memory of 3432	3852	msedge.exe	126
PID 3852 wrote to memory of 3432	3852	msedge.exe	126
PID 3852 wrote to memory of 4316	3852	msedge.exe	127
PID 3852 wrote to memory of 4316	3852	msedge.exe	127
PID 3852 wrote to memory of 4316	3852	msedge.exe	127
PID 3852 wrote to memory of 4316	3852	msedge.exe	127
PID 3852 wrote to memory of 4316	3852	msedge.exe	127
PID 3852 wrote to memory of 4316	3852	msedge.exe	127
PID 3852 wrote to memory of 4316	3852	msedge.exe	127
PID 3852 wrote to memory of 4316	3852	msedge.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\X.exe
"C:\Users\Admin\AppData\Local\Temp\X.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SolaraX.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraX.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SolaraX" /tr "C:\Users\Admin\AppData\Roaming\SolaraX.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://streamable.com/2l20wq
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffacf9346f8,0x7ffacf934708,0x7ffacf934718
    3⤵
    PID:3884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    PID:4348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:3760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
    3⤵
    PID:1844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5008 /prefetch:8
    3⤵
    PID:4960
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
    3⤵
    PID:3464
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
    3⤵
    PID:868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
    3⤵
    PID:4740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
    3⤵
    PID:4312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
    3⤵
    PID:1220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,2647771969994370652,16725576474747260260,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5032 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6024

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x410 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5516

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5968

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5460

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5400

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5300

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5816

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5288

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5764

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5968

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5492

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5592

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6084

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6080

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6120

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5600

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6072

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6092

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraX.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f2b08db3d95297f259f5aabbc4c36579

SHA1
f5160d14e7046d541aee0c51c310b671e199f634

SHA256
a43c97e4f52c27219be115d0d63f8ff38f98fc60f8aab81136e068ba82929869

SHA512
3256d03196afe4fbe81ae359526e686684f5ef8ef03ce500c64a3a8a79c72b779deff71cf64c0ece7d21737ffc67062ec8114c3de5cafd7e8313bb0d08684c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6cdd2d2aae57f38e1f6033a490d08b79

SHA1
a54cb1af38c825e74602b18fb1280371c8865871

SHA256
56e7dc53fb8968feac9775fc4e2f5474bab2d10d5f1a5db8037435694062fbff

SHA512
6cf1ccd4bc6ef53d91c64f152e90f2756f34999a9b9036dc3c4423ec33e0dcee840e754d5efac6715411751facbe78acc6229a2c849877589755f7f578ef949a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1017KB

MD5
6ac529d3fd512ef622b4ed7ecc9237e4

SHA1
851b15123e0494fe4ab50453db2edf129c9cc559

SHA256
ce87d33a2e833225ac43312d937aa51740fff956140cf9d53dc052bf4c496fcb

SHA512
deb475895770e1b236d334b06b431e2d68a02aea707aab8d800ce85fa3e40e9f0d6c812aa8bf3b3bb20c8e49c8f3e62da4f84248d8610642586615f88b39a9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
73cdb73654a858c5be613e692d3cd789

SHA1
53f32c0517101069c1cbfb884636c1b0c9f12788

SHA256
e271ca41b4d8b6ff0fb5c5cff3dace3119239d1376ff2e4dcb7c374a59442b33

SHA512
611909a0c51b3496433015a8523bb6767319f772821629f40aa2c6deda99609bbd96b065221d6bd334314d797617cdf2c199bb3e73d44bbf667afd7f6fde60c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
842B

MD5
683bf2e572618fdbf7726271aa7a82a9

SHA1
1e23687720befdfa7d3c37220312faeb649df6ea

SHA256
942dbf57bd8fe860da286ef88d36aa1e144d375e3b8d81ef939dfa7366479290

SHA512
4828f3122bc377a4b0a29749f9d31a0ec3d90582b53c953eba129dbd72a66153059edf63db01b723039ff5aeca85f49694bc2b18bea4ea46a018f828232caec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9e14524ba34a74dd8304a619c7f4e85c

SHA1
6b7b9cbd495dc3aa0db8a25cdf9a4b90d8d1fbf2

SHA256
99280e32a5c2fc80923a196f1d3f097558601aa6c1b869a01bb934b6d8ef4dca

SHA512
5021556fc5f3810b4c2037343be0234020092b7baa2c3611b5937a65488c19816bffe408ae9999ee6916e7f1dbe66c3f8dc4a00f659a1b9e22e21b609b2b433f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce267f7004795b5bef58a71c101f2db4

SHA1
34d6d6c7ff05f68aff943d090839c421fac1fb9e

SHA256
2057ad2e1d3bd24a77118a12ef15da7380623e9ae715f96986d62e8077a55de5

SHA512
4ccb85de6c9eeeff50222c8f3590fbeda1a79d583ad1d8b1b5a13720afebafb56483149882f6da4f65fab4510c907e786ea22b11b43fd8434bbce239d3319f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4ee8a14ecbd6f4d3cc7ad2a64dfe7f40

SHA1
cb51d703195bc3611ea2659ee4ac7f3400e2b93e

SHA256
b665da7b1377352edfc8f7531e379ad6f47d29d8be74801bd73fa33267f9c4f6

SHA512
38acce211dbf082c7751543bc2c00dfb7fcfde5f09f02e305cbcea9496b73c3a5352dc6460dec906a044b21ef21fefd026574a2e0ff44adcaea70957266bfc1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aziybpfc.xr0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SolaraX.exe

Filesize
82KB

MD5
b201ce5dcb58284da7a5ef6294418e56

SHA1
27573051f80debfd74e1a72d27cfd29f58c76d7e

SHA256
188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed

SHA512
f282f9efa40ce5e753faf803079af9aae478711e6e2f3dcf09c744ae3e670c6ef0cb18b62c8e57ba825faef8c396dd481768ef0680681d4b1b80ad1c3433f11c

Download Submit
memory/3944-56-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

Filesize
10.8MB

Download
memory/3944-57-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

Filesize
10.8MB

Download
memory/3944-0-0x00007FFAD2B93000-0x00007FFAD2B95000-memory.dmp

Filesize
8KB

Download
memory/3944-1-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/3944-264-0x000000001AE50000-0x000000001AE5C000-memory.dmp

Filesize
48KB

Download
memory/5080-17-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

Filesize
10.8MB

Download
memory/5080-14-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

Filesize
10.8MB

Download
memory/5080-13-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

Filesize
10.8MB

Download
memory/5080-12-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

Filesize
10.8MB

Download
memory/5080-11-0x00000223A2BE0000-0x00000223A2C02000-memory.dmp

Filesize
136KB

Download