xworm | 188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed

Analysis

max time kernel
898s
max time network
896s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X.exe
Size

82KB
MD5

b201ce5dcb58284da7a5ef6294418e56
SHA1

27573051f80debfd74e1a72d27cfd29f58c76d7e
SHA256

188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed
SHA512

f282f9efa40ce5e753faf803079af9aae478711e6e2f3dcf09c744ae3e670c6ef0cb18b62c8e57ba825faef8c396dd481768ef0680681d4b1b80ad1c3433f11c
SSDEEP

1536:D2wgD0/WhgBpRCn3wtSD+bQ6QqTMj34Al6G4tIzOasNnP6UO:ywkeWQCn1+bQdjrytuOa6Sz

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:36623

fax-scenarios.gl.at.ply.gg:36623

Attributes

Install_directory
%AppData%
install_file
SolaraX.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1740-1-0x0000000000F20000-0x0000000000F3A000-memory.dmp	family_xworm
behavioral2/files/0x000700000001e724-58.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1696	powershell.exe
3676	powershell.exe
1504	powershell.exe
4888	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	X.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SolaraX.lnk	X.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SolaraX.lnk	X.exe

Executes dropped EXE 15 IoCs

pid	Process
3212	SolaraX.exe
1824	SolaraX.exe
4876	SolaraX.exe
5768	SolaraX.exe
220	SolaraX.exe
5324	SolaraX.exe
3532	SolaraX.exe
3552	SolaraX.exe
4608	SolaraX.exe
5432	SolaraX.exe
5696	SolaraX.exe
5896	SolaraX.exe
2512	SolaraX.exe
3440	SolaraX.exe
400	SolaraX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SolaraX = "C:\\Users\\Admin\\AppData\\Roaming\\SolaraX.exe"	X.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3208	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1696	powershell.exe
1696	powershell.exe
3676	powershell.exe
3676	powershell.exe
1504	powershell.exe
1504	powershell.exe
4888	powershell.exe
4888	powershell.exe
1740	X.exe
4140	msedge.exe
4140	msedge.exe
3676	msedge.exe
3676	msedge.exe
4580	identity_helper.exe
4580	identity_helper.exe
1992	msedge.exe
1992	msedge.exe
1048	msedge.exe
1048	msedge.exe
2592	identity_helper.exe
2592	identity_helper.exe
6140	msedge.exe
6140	msedge.exe
6140	msedge.exe
6140	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	X.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	1740	X.exe
Token: SeDebugPrivilege	3212	SolaraX.exe
Token: SeDebugPrivilege	1824	SolaraX.exe
Token: SeDebugPrivilege	4876	SolaraX.exe
Token: 33	2000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2000	AUDIODG.EXE
Token: SeDebugPrivilege	5768	SolaraX.exe
Token: SeDebugPrivilege	220	SolaraX.exe
Token: SeDebugPrivilege	5324	SolaraX.exe
Token: SeDebugPrivilege	3532	SolaraX.exe
Token: SeDebugPrivilege	3552	SolaraX.exe
Token: SeDebugPrivilege	4608	SolaraX.exe
Token: SeDebugPrivilege	5432	SolaraX.exe
Token: SeDebugPrivilege	5696	SolaraX.exe
Token: SeDebugPrivilege	5896	SolaraX.exe
Token: SeDebugPrivilege	2512	SolaraX.exe
Token: SeDebugPrivilege	3440	SolaraX.exe
Token: SeDebugPrivilege	400	SolaraX.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	X.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1696	1740	X.exe	89
PID 1740 wrote to memory of 1696	1740	X.exe	89
PID 1740 wrote to memory of 3676	1740	X.exe	91
PID 1740 wrote to memory of 3676	1740	X.exe	91
PID 1740 wrote to memory of 1504	1740	X.exe	93
PID 1740 wrote to memory of 1504	1740	X.exe	93
PID 1740 wrote to memory of 4888	1740	X.exe	95
PID 1740 wrote to memory of 4888	1740	X.exe	95
PID 1740 wrote to memory of 3208	1740	X.exe	99
PID 1740 wrote to memory of 3208	1740	X.exe	99
PID 1740 wrote to memory of 3676	1740	X.exe	121
PID 1740 wrote to memory of 3676	1740	X.exe	121
PID 3676 wrote to memory of 2180	3676	msedge.exe	122
PID 3676 wrote to memory of 2180	3676	msedge.exe	122
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 3416	3676	msedge.exe	123
PID 3676 wrote to memory of 4140	3676	msedge.exe	124
PID 3676 wrote to memory of 4140	3676	msedge.exe	124
PID 3676 wrote to memory of 396	3676	msedge.exe	125
PID 3676 wrote to memory of 396	3676	msedge.exe	125
PID 3676 wrote to memory of 396	3676	msedge.exe	125
PID 3676 wrote to memory of 396	3676	msedge.exe	125
PID 3676 wrote to memory of 396	3676	msedge.exe	125
PID 3676 wrote to memory of 396	3676	msedge.exe	125
PID 3676 wrote to memory of 396	3676	msedge.exe	125
PID 3676 wrote to memory of 396	3676	msedge.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\X.exe
"C:\Users\Admin\AppData\Local\Temp\X.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SolaraX.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraX.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SolaraX" /tr "C:\Users\Admin\AppData\Roaming\SolaraX.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://imgur.com/a/LIxwhY3
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3d1246f8,0x7ffa3d124708,0x7ffa3d124718
    3⤵
    PID:2180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,7506780213423714084,17072730589110847488,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:3416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,7506780213423714084,17072730589110847488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,7506780213423714084,17072730589110847488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
    3⤵
    PID:396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7506780213423714084,17072730589110847488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
    3⤵
    PID:3488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7506780213423714084,17072730589110847488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:1500
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,7506780213423714084,17072730589110847488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
    3⤵
    PID:4396
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,7506780213423714084,17072730589110847488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://streamable.com/2l20wq
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3d1246f8,0x7ffa3d124708,0x7ffa3d124718
    3⤵
    PID:3624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
    3⤵
    PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
    3⤵
    PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
    3⤵
    PID:1164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
    3⤵
    PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4384 /prefetch:8
    3⤵
    PID:1144
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
    3⤵
    PID:436
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
    3⤵
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
    3⤵
    PID:2476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
    3⤵
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
    3⤵
    PID:1220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16485469281498683495,15994596755006598714,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2792 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6140

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4512

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc 0x244
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5768

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5324

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5432

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5696

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5896

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraX.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
398fa65a94a5d7f267f95595055dce0d

SHA1
d757d841b56a9b24861e77da59870fc67a16f7d5

SHA256
0bb521d47d50e87073f83f7c5b306f5af8b8c51fb47bde89f03ad509a9f812de

SHA512
fa015acdb5d897b2b5451e4f4b5d35a0ae4652df95dda5c316e2256b43fc559ed0cfb17302738d9d3ffa85722982a17492cf9e31b8c9f148ec101eb7c3ae526e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f4a0b24e1ad3a25fc9435eb63195e60

SHA1
052b5a37605d7e0e27d8b47bf162a000850196cd

SHA256
7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb

SHA512
70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c9b7e612ef21ee665c70534d72524b0

SHA1
e76e22880ffa7d643933bf09544ceb23573d5add

SHA256
a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e

SHA512
e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
1e6230e6b2981be92349d1c6fcb3f340

SHA1
92e596e2c69bcbb13c931a4d913e6cf434167d95

SHA256
d5ec33851c95fd4c9ac7f2e4c60d497dba095f23e70df81b5ef0f4a83971bc15

SHA512
1f5e43614d4eb3e4bcc889a513e6edb8de533c5723fd00f59f7983a0f565df971c1b33cb1238871152e97b808aec51b5870abf9d4a40736e0a343351f3c4e843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
650653950f75b3742704240e3e985975

SHA1
64b927bb788965ba7f25c99b8436fa942ce7b871

SHA256
1beda29be123d7d955451d09af4b31237359e2655f92b35ea5068106265a4a38

SHA512
68fd95e1bc4477f40af41a7e1d37d9b85332b4739c736d2a7a5630ddc69a80a7adeda97d71f3058b9cf4f317e20ffe6428ea2295358369f74c97263e128c0007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
606KB

MD5
25bb8e61fa1cf273b4cb1740b9d91174

SHA1
b923f87e71e74096e085710de69c6aa4164c2085

SHA256
2369c4e82e45b910106262672abd9e9a0fc1e0de28e94b2c5f5e91fa7a8b5238

SHA512
4ebcd23a20c38c60695c04af8dae8d8f5f1237bb6e7850c19f19270744f2576d0de506898987a449f4c955dfa2a7007d62f29c9665c273c6a35967448ccf0422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
008118f05324d51c20265022beece57d

SHA1
a79ba2dfc7b6410a63bbb5b8fb0b55a2dfe22ab3

SHA256
59be0b3efc771edd29a044d2e1b8b849b09a26f8599c93721cf614d4264cf7ca

SHA512
8134ca527feecf4377d0bdfdae971439ea53e1a36e3da64a4c7b552974e50051258d478a34d0c62285090f753d0c74be8153c3f7bdd3432c33946d0d2d7c6585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
20683f4a2ed750b91678cceb4428dc7d

SHA1
a9b87169ce7ed04ddf1e322dd586663e0ec3c44f

SHA256
11792936e24c0be5cb05bb50e3a40778bff1815bbc68236a915c366a8c72e2c1

SHA512
ee4f6cfce0886d0e8a9c3ddca220d082c97e21074f072d7c1ed00f109899208bf75e03f7c58f73a32e8416ecabf4f431facd274078f70a1f6a2cb024b629b251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
ca76415660daed3541b90afdc53f1796

SHA1
dc257842adf477b44e5692bb85995d445fe7b0ae

SHA256
ebac45131cb777d528691c15d8ee1a49e7b34813e80edbef47a95ce41e510673

SHA512
8a26ccc769ee868bc5003207467bc899d061a6a6626b8574b02bb27fab23191d23828b0a0ae4a615f2df95894a5b04b928d89a4efc01812a3e75b27003643abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
06fa58420b4dc5c62a12303d0d5c32d0

SHA1
51b60ded9545d759547d84c0db18e62464eed340

SHA256
f0e5d79802f1df36bb41788b74fe0df239f482c20bcf6d7d65c16cb68cb9f62f

SHA512
562c9daccd5c954b386012b9eb2b5f2d6838dbd420325faa065d342b89a7faaa984c8b5e40bdea737e3c92c56ea3fa149a035bcdd238f0f61cb7a8a2bffbe118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
e42524c54236b105a6622508d2b04da7

SHA1
6099c6b5d68e2797299e4f19874ab28e5b32f6e0

SHA256
6073b87d427ef915cb1a5ee15e072511da8f3a810a1a017ce3153392a112278c

SHA512
014624ee578dd0c2221e18a435142cc299b068f0842de14fb4997e9fd245a6baddf5afa54f08ef66d030307d131719be8882e21c5db8389bc33fee952b414e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
177B

MD5
4aa6e6b21cd2e3217ed8148023193381

SHA1
86b2889359d56373734f26b8756cdd86e4a9f7c2

SHA256
5f48db49453663f5e98d2f00f9a24d705f9750c0d4f266410169d0070b7dd44a

SHA512
404d0650d04a9ce91f00074d17eefa7a761eff56ac7a751ba368c2eb8961988c454c47a5fd8f32b5c6c02e5a159bdf12e1c6521bac8fc2da77a4830bf80ded8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c6380465a9c3d7bdf9150dcca815c483

SHA1
fe45772a568f36b4776467565c4094098b46b8ff

SHA256
79527dc293c17b1d2510b3912a17d2b983e2a9b38c17eafe8c5dddbcab2df9e3

SHA512
dd198afc9ac02b18748be4b64d21cb74adf029b9a1764eb75e07b6f6616cd12752d6603377a3a1f81f6f7d57af12deb05feae8accab5f86d054b0ac5dda65249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
57b7de71af5872ecc2f8a8a5fb65eff4

SHA1
65ebe653b80feb40c997d0f4df178c3a9eff4f87

SHA256
bf367ade08bb1d7008ac633b039a78bc6a0b4c590526a585dcaab1dba0fb914d

SHA512
1779b9c4d328dbee2c7f00646e0fbfd8b6a55d2f36a9efc530d9b0a1e93a97eb3103a9ddc97bc8ac6a406c743007ed115bb6458dcda73c7649b39266b3f7e609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c17776dfe3370c8ba6105f4d5262d976

SHA1
f5004bc071f867760cca38b48f11ca216f7afa79

SHA256
9ad03b40af6d32941d4649928f8afa3bb61ec578a516fb56251445586e735aa0

SHA512
8bc2346af97691b34c7d630c3166bd223c88372d4ad4f05e3dd1b10206e410bf8ee258d682a5bcf666e17223e9fa7cf161959a6325e3aa7bb48b16d1bf7ed776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8fd62497763c6997ac871f9bdf783706

SHA1
f5d62db628eec757e41dc24f29e14c6fa9fedd7e

SHA256
23a69c37c1e51c84df9fe0d745681b0dd96cc234ae55c6137cfbe1bd146f302d

SHA512
305e28863ba30e7597d9ba54a0472cff15c3af079548fea3f03c9a383e345b38a07657ec67cf5a6bb4183137fa76aa7f926ff2d9364a24d300cd46c71c515a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0dfb5886c508ee68baa7927f068c4c7d

SHA1
023c56dd2f898936d3bf21255631af4a736c5e1a

SHA256
64a71fbdf99f5e7fef7141d96b868fb131a3bcbd600aa03a51d899dbc31f9499

SHA512
99886d70f847d3c5f16186472a92da26930e9d49ce4040837331c271643c311c3c6a333fbb86b5c244a59f1fa14ebe5544df6c0c37e8fcafb34f55fecbafef3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
4a9dd1b2e23dc786db64694ddd467f5f

SHA1
02ed72e1451817e862356e34302bc40a889c0990

SHA256
c26aa2acfde82ca59ee15bdd28d3e0d59d914bf6e25c43bb86ace0015d77a38d

SHA512
dcca8a42fa7c0566865f2522085090d0577f6782be3f7b48dd90d018c2575b1202c6681c766fec588a010aec75e316b4140e77141549c6f34f77d30df003d455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13385427224485255

Filesize
1KB

MD5
aae90cdf08aeedb225ba5f76d9e7b565

SHA1
6ca73de2a7ebea524808c04ca36b18f5e67bed10

SHA256
03410a6c7b81c17222b00170d3fbdb1e84bfe7aebd84d2eb67f29ee00fc9485a

SHA512
d35c0438b80644b1650ce2e267178034b77cfca89205139d3752568d1dc9b35c0f262a164ec081031bbbaa90a95957a8d865bb8561dfe95d26cecf3e5c99d778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13385427224672255

Filesize
1KB

MD5
ca6f0be7eeae00999afe7215be8dbeda

SHA1
9731ad12bf25bf79718f7e53393a87bb1fd6d774

SHA256
43ad9e3e2e23d759c4770692339456c08db35cd04256f7553746592a16015306

SHA512
3079a2756a4d74cf9861ec72d035fa4a5ee3cc1829ff3abe67d025573986f141b5560ab999267c75546627af8d19c1317cd3a6b5d52faa3ddab2df6bf9e5b2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
40325e530dbba3d71de3f21ed7c5b417

SHA1
511275df311ffdfbfadf8c5cc4c3a4a9325e4cda

SHA256
ef18336ad43d98bee93a6170e68509796b51e075f121ce1b7542377a626967d7

SHA512
5bd40498fc09d564594a3e2395795004f0222b3008f7a2080b7874bb0f4d4b54b04c3c16e1b8a9c91d82b3a0e001b439fdb78fe48b2bc25c939683bbd7717042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
c93a0afd4d6d732fae7be71519af2547

SHA1
584f6f81b4d709fa605ac64d1e63765f778a8a3a

SHA256
afcd7fa2a0edc1efd54c9c085d3ca8770c4219e99e3f521c9000ef93f6b7d529

SHA512
bbbe98b7c34888f107c9da033a5a2885214630b316cc088f957fd636dbee33f10e562c6b576446c794e8dc19b8a28efd52cc547620e15989c132e8abb2cac07e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
3940e9d175f2445a3606c478561f5e45

SHA1
09c59d4323473067be3bb442092453a18f8f4833

SHA256
c3b01f02192adaaf27bfea0b437c74373f4edc971f4ae4dd16e06e4650b48e42

SHA512
370171e2f5e8b07b973f4f17359669de268785e7522ea050a8e5abafe6daa5905f5d73b080f25008faec2bdad2d3c2df22de2af333e32583940caa745994cc48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
489a80ab005c459198a52cbc12fd1192

SHA1
c93aee8f5c168517b14b680f61dff1bb53623c42

SHA256
84cb404b8a57a9ef30f53412c7ff8f5077b34f4ce31c0c510550a2544a2a821f

SHA512
d8291ad99657d889e16f3d8c18235221e0532385016fb3a2a31ad43e151a256ec3eabe170d8b009fb855b618e13e6540bf0eb85761668b157a7933851f04ee2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
c89801de6ecd92c5bf0e137b74e6c7ad

SHA1
9673d4ab414dfd872e88901bb4b843c2ae0e2e52

SHA256
d5f8f253423cb85736df04799dd00c4b3ae98b390910d6023e50a58c1b6f850d

SHA512
25ff405c1038fbcfa13bad3a6ae3c62b82dd37b054f4a5f582cba3fb08dd01757b995f1a61ff75ee4d8cf89a456ab58fec208ac0dc4e5f466321459b49a5d15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
3d9ab203d88ef68925919b68ffe07b1b

SHA1
2de6e4e934e35f09943044331aaa4ce99ffc8e93

SHA256
2a360641271fa90624d92e5cd7ac7cf875ac6f5b62d36b0a47216e3ac931bbad

SHA512
bb1dc4aae3f90414c0facbd703980d2b3914f32900e6a31e27b97f0ca3edacc09d23ef079bc7a9bca508d0f01c84429cc96f84b585e3c7925c9a08e1e5284884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
4d2210ad055fb8f398ec878033785a89

SHA1
4372e23d38ac2157eae1fdddc29357e9f1c9689c

SHA256
556702d86bc0b02fae8b7355db86d3a8c6460d157614ca70056080b429d2e5cb

SHA512
b97a4c3bbbd03d1f13da00bbb81782f15791b26b37e4aa853b5d6d079ce6839d0a824c29680df161f6be7b8ecf7bb13df8dcbd21ebf5c79c5aaaf79b9c23694f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
045106ddb3e8649b53b7bd6288ee26f4

SHA1
f25a6f7b82bb0c22cd06e208c36f1fc107e48128

SHA256
9e41f95df67c8733a8cbed3c26333a6ea27d5018cd8afb0aecc24adbfd728cb6

SHA512
a1910680b959385fca011832c3dc5cd52770484404c97ebbcf7376133848ff8b7fd777db0dbcde2f76d05e2be86adaa448e329a08eab58a29cecd31867fba86d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
c11c9b33a638d6f57d9d46d83a01478a

SHA1
1173f5854dcfe14d8279915898240c139b4f3879

SHA256
45b6840ad286270a8e7641f696eae2638e881862db7352508cf3ce04e4d160b7

SHA512
fa05615d8158d8f37b7b0cffea35206024981225a6a0b8a06cb91ca79867d1293d0ff21e6bd593604eb7916d7e1837d0a3c616f082ce23e5e5a258f31b3e7719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
313B

MD5
da7e07f5f6d5105eb9b603b10845c160

SHA1
b4ed5b0a9cf074a5cf9945dd27a480cf86f381d8

SHA256
3cbadce21db8ba94d13b9e88920c20aa64cd05221f5ffaec58f77b415be7cad6

SHA512
36225ac445a98f0b59aa7d91f7cbcfe6daf95b86d865e1d4a5f26a4191c1e46fda0eccf64244ed579f4785552b77239621db0d6e9798f276051d33597aa1c5c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
44dae2da47963482166db93f9a7349d6

SHA1
f4a6458de1acabc442a2f2b0c14ccc2c0f12053e

SHA256
5f296223e782edeb223c96c4e43823956524b8d09621c1ac4f7aa551275b58de

SHA512
8ee6ddeb226b1ba6904bfa0d395c3cb418021af05b55e00b02f8133d591aefbd6548d115d2ad605986636f6805e570b87508d0878cc9d2ce0695de8b2ac8a26e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
331B

MD5
1802dba00f1e9c376d918712349d5632

SHA1
60fa1a8a08db41bd0ba7a2861d8950d76f1be44c

SHA256
b230a30540402237a74c9e9c66242197cb2b67313e284a2cfc7b82a3a4020de5

SHA512
4ebeb38116b26eefe85b2778e7ed142014225318e87c6a77e20742f1b8c29ae345119532199cea3447692afb65c20dccf4fb8fe4189f0e7c1433c6de7d53d14e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
116a21ae0f926fd4d77f8085aef792d0

SHA1
b5fb9fc29444348a01a6e6b11266cd21463fe102

SHA256
4678b99a8f4b2a14fcfcd4aefe8c18899303253dd39f467f0c039e5105617405

SHA512
811002fe71db30f349b2e15e6f29fbb70305d133b2f7c3f9fa4e33e24731ebacdba5ea50d712ea64b39c83e26b99d4c15994d3b8fafa85316fe604dec803ad85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
59ee053d485f00932623e17af7b7e74c

SHA1
56d70b26a8114eb5fb814abb83983f8cafabe588

SHA256
5a62269aae71d8785d99c123574df83929250436ff4d9928ca93771d16c6d85f

SHA512
9acd86c8c3b7481180b1147d87f61cd205c7077e3c34ec501487cc717782eb7a8e74decae72b1ff5deb0da5c218fd3f54b9222b48af794a3ceed5b7a282cda4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
906bbb84d4398ad4b350015c7b55460f

SHA1
836827431642753f3629033c1742fa1a681f4163

SHA256
e261a87c543b04c97661e98abfb4b436cbee20a1ea8f3e89a489b7fa9482fc20

SHA512
49ed5ff345e56f524f3411811e0b1f6428244e51d858758c9ca1987d9b9ec36cd6970c7cf9ca5404bbc02be32047035c893c64c15dcef7d23837569216969405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fb99240a16d21ba0d3a31acde141a1c5

SHA1
2a20b17e4faacaa2e2b676288ee7b159af14c8ea

SHA256
24da6716a39bd4c7cbff241e51618e2fab5132fb414ca49224960f7ab704b828

SHA512
ea3f4401d265ca11765754c5e0fcbaea66f944105c77ee8363bb33ea1926c82aa2466f11f5772e5280968652354df446cc034ff3063d0ed12214b68557916010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7bae967c052161462d45d786b1beb6e2

SHA1
e0d78319a9779e15640b8dbad9bb316e778689d4

SHA256
b1b5c309ad19f1e98d9e491aa595a6c3cc0b3924137afa6f24a7abba2d6b7ee0

SHA512
77ecbf8f1279baf2ff89f81258d4dee267a73099722e7ded67dd23ca756f68bbad10c1321a3c97184c366a94df0e632d73479a0fd72040a4f21900432891c308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
2a47767601c74a936e7c8b5e3743e6a2

SHA1
fa44600eac66528024dbe73fcf602b9d3096ddd7

SHA256
41500d790664853c4af5bcdfb8f6751da81515d5f5e783052347faec2af7d861

SHA512
fe0018c7468f93eae71fa793533312cb4750c84968797b3564832d55ac6133de3a4a004cdb2e4d38f02d074311a85b6ecbf5793895baf347027c9c439036b6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
8d850df9cf22cb1b126f2d920142adc2

SHA1
b1ff1d5eb571bf12aa161c94d7f9249500516987

SHA256
951f74d7db61bee948f0992ec9a0b80c9aafa8bcdbed8ee0f329790934afa68d

SHA512
ee084e879e1c316036d9b5381e30eaea9b1c2f00d6ccd4ec21f07906afc74da1cb7b2efc243b0ba5ef1976b2973cd1256520fd6e13af2b19b90cfebe31a72f27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ad2xtxs.hq5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SolaraX.exe

Filesize
82KB

MD5
b201ce5dcb58284da7a5ef6294418e56

SHA1
27573051f80debfd74e1a72d27cfd29f58c76d7e

SHA256
188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed

SHA512
f282f9efa40ce5e753faf803079af9aae478711e6e2f3dcf09c744ae3e670c6ef0cb18b62c8e57ba825faef8c396dd481768ef0680681d4b1b80ad1c3433f11c

Download Submit
memory/1696-17-0x00007FFA40EC0000-0x00007FFA41981000-memory.dmp

Filesize
10.8MB

Download
memory/1696-14-0x00007FFA40EC0000-0x00007FFA41981000-memory.dmp

Filesize
10.8MB

Download
memory/1696-13-0x00007FFA40EC0000-0x00007FFA41981000-memory.dmp

Filesize
10.8MB

Download
memory/1696-12-0x00007FFA40EC0000-0x00007FFA41981000-memory.dmp

Filesize
10.8MB

Download
memory/1696-7-0x000002C250EE0000-0x000002C250F02000-memory.dmp

Filesize
136KB

Download
memory/1740-57-0x00007FFA40EC3000-0x00007FFA40EC5000-memory.dmp

Filesize
8KB

Download
memory/1740-56-0x00007FFA40EC0000-0x00007FFA41981000-memory.dmp

Filesize
10.8MB

Download
memory/1740-65-0x00000000016C0000-0x00000000016CC000-memory.dmp

Filesize
48KB

Download
memory/1740-61-0x00007FFA40EC0000-0x00007FFA41981000-memory.dmp

Filesize
10.8MB

Download
memory/1740-0-0x00007FFA40EC3000-0x00007FFA40EC5000-memory.dmp

Filesize
8KB

Download
memory/1740-1-0x0000000000F20000-0x0000000000F3A000-memory.dmp

Filesize
104KB

Download