xworm | 188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X.exe
Size

82KB
MD5

b201ce5dcb58284da7a5ef6294418e56
SHA1

27573051f80debfd74e1a72d27cfd29f58c76d7e
SHA256

188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed
SHA512

f282f9efa40ce5e753faf803079af9aae478711e6e2f3dcf09c744ae3e670c6ef0cb18b62c8e57ba825faef8c396dd481768ef0680681d4b1b80ad1c3433f11c
SSDEEP

1536:D2wgD0/WhgBpRCn3wtSD+bQ6QqTMj34Al6G4tIzOasNnP6UO:ywkeWQCn1+bQdjrytuOa6Sz

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:36623

fax-scenarios.gl.at.ply.gg:36623

Attributes

Install_directory
%AppData%
install_file
SolaraX.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3156-1-0x00000000007C0000-0x00000000007DA000-memory.dmp	family_xworm
behavioral1/files/0x000500000001e717-59.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1644	powershell.exe
916	powershell.exe
2932	powershell.exe
1688	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	X.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SolaraX.lnk	X.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SolaraX.lnk	X.exe

Executes dropped EXE 3 IoCs

pid	Process
3844	SolaraX.exe
2484	SolaraX.exe
2224	SolaraX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SolaraX = "C:\\Users\\Admin\\AppData\\Roaming\\SolaraX.exe"	X.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2932	powershell.exe
2932	powershell.exe
1688	powershell.exe
1688	powershell.exe
1644	powershell.exe
1644	powershell.exe
916	powershell.exe
916	powershell.exe
3156	X.exe
400	msedge.exe
400	msedge.exe
3232	msedge.exe
3232	msedge.exe
3464	identity_helper.exe
3464	identity_helper.exe
3216	msedge.exe
3216	msedge.exe
5016	msedge.exe
5016	msedge.exe
1932	identity_helper.exe
1932	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	X.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	3156	X.exe
Token: SeDebugPrivilege	3844	SolaraX.exe
Token: SeDebugPrivilege	2484	SolaraX.exe
Token: SeDebugPrivilege	2224	SolaraX.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3156	X.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 2932	3156	X.exe	93
PID 3156 wrote to memory of 2932	3156	X.exe	93
PID 3156 wrote to memory of 1688	3156	X.exe	97
PID 3156 wrote to memory of 1688	3156	X.exe	97
PID 3156 wrote to memory of 1644	3156	X.exe	99
PID 3156 wrote to memory of 1644	3156	X.exe	99
PID 3156 wrote to memory of 916	3156	X.exe	101
PID 3156 wrote to memory of 916	3156	X.exe	101
PID 3156 wrote to memory of 3040	3156	X.exe	104
PID 3156 wrote to memory of 3040	3156	X.exe	104
PID 3156 wrote to memory of 3232	3156	X.exe	123
PID 3156 wrote to memory of 3232	3156	X.exe	123
PID 3232 wrote to memory of 1632	3232	msedge.exe	124
PID 3232 wrote to memory of 1632	3232	msedge.exe	124
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 4292	3232	msedge.exe	125
PID 3232 wrote to memory of 400	3232	msedge.exe	126
PID 3232 wrote to memory of 400	3232	msedge.exe	126
PID 3232 wrote to memory of 5080	3232	msedge.exe	127
PID 3232 wrote to memory of 5080	3232	msedge.exe	127
PID 3232 wrote to memory of 5080	3232	msedge.exe	127
PID 3232 wrote to memory of 5080	3232	msedge.exe	127
PID 3232 wrote to memory of 5080	3232	msedge.exe	127
PID 3232 wrote to memory of 5080	3232	msedge.exe	127
PID 3232 wrote to memory of 5080	3232	msedge.exe	127
PID 3232 wrote to memory of 5080	3232	msedge.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\X.exe
"C:\Users\Admin\AppData\Local\Temp\X.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SolaraX.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraX.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SolaraX" /tr "C:\Users\Admin\AppData\Roaming\SolaraX.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://imgur.com/a/LIxwhY3
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1fec46f8,0x7ffb1fec4708,0x7ffb1fec4718
    3⤵
    PID:1632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:4292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:3264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4672 /prefetch:8
    3⤵
    PID:3984
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
    3⤵
    PID:3044
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
    3⤵
    PID:452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
    3⤵
    PID:4436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
    3⤵
    PID:3820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2913394659936864078,3062470678195258654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
    3⤵
    PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://imgur.com/a/LIxwhY3
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1fec46f8,0x7ffb1fec4708,0x7ffb1fec4718
    3⤵
    PID:2056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12455132076483896563,15103033069341677479,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:4268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12455132076483896563,15103033069341677479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12455132076483896563,15103033069341677479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
    3⤵
    PID:912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12455132076483896563,15103033069341677479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:3528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12455132076483896563,15103033069341677479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:4992
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12455132076483896563,15103033069341677479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
    3⤵
    PID:4256
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12455132076483896563,15103033069341677479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12455132076483896563,15103033069341677479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
    3⤵
    PID:3464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12455132076483896563,15103033069341677479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
    3⤵
    PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12455132076483896563,15103033069341677479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:3180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12455132076483896563,15103033069341677479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:1448

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2340

C:\Users\Admin\AppData\Roaming\SolaraX.exe
C:\Users\Admin\AppData\Roaming\SolaraX.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraX.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
133a6b40cb55b4666cd09f49b3f31f63

SHA1
2ee2f439d5a9b7330d92e69b44bcd3390de13d33

SHA256
902d5f199dac81fc163e081ef35ef9b7ee04b36db7b7ffbd39e3d5f0c25f71b4

SHA512
60f5f58dfc12bd4680fc525c0d168e8341441dfc7d8c0a4fa3e412373d836f045ccbd3b8f5ad7fe4c5038bf3f1646a4ef2b84683dd4d92c431f8000e7ea4be6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
59913c15e18a327c0d384b554160c71a

SHA1
f85b41e75568d21850fbdc93acde69ec8146e678

SHA256
855fd6285f15951da4e817cacfd69a90dce733d594ba0cbb034b5fbdc8c8c9b4

SHA512
da41e3a47b9907b97c03668da55b0056f60ef849f8eb69dbb6adecdf4f844e658130264b7c53ac149b635ab7effa07e4ad4f061f3453903404fb5ba0febb3f9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fffde59525dd5af902ac449748484b15

SHA1
243968c68b819f03d15b48fc92029bf11e21bedc

SHA256
26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762

SHA512
f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab283f88362e9716dd5c324319272528

SHA1
84cebc7951a84d497b2c1017095c2c572e3648c4

SHA256
61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2

SHA512
66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
208093c34b58a5aa788e60af23f71a98

SHA1
fb0b00c4cecff042ae31f6ef67b2227f4ec8cea3

SHA256
bfd8f2ceeb4405b1d496b3657c914e6818b22a53692cdc5927c8b12649c91c93

SHA512
4991464e37a886ce0a67c8dff37337c7c65c12504e15a673154cf5f5f774e65fc6fb7caadd6c516df2f6dd05383eb58f0afb94c5b6c4b36c96d3791268d95fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
0fb765f4bc1a37defcddee7f4c0a8c58

SHA1
0cf9d3d0ec264b4f1264c7fe7d800b0d74b7fdd1

SHA256
f36b8721e62bba716ce06b72eddfba4da6dafc9ff96dc09cc8108ef47b53ddba

SHA512
146cc560d8831b991355b26b8d298ccc10388bd047a8b47f92f2be2259f38b687b71fbcdee2d7cc6c35696c06fbce55c059bd7df6377a6e7ad30aeb167ebd854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
c6c07790897cf984dd52a028bbbdc868

SHA1
8125ddedd92d7d3f6ed31d8ea658f8cc6a77ad35

SHA256
5f7ae10686d4c508864d36a83c8e1cfe3b1a49eaeed61750860674cf3d82c9d2

SHA512
b21d8141dbf42242a6e1ae1b6bf17d43bea788749753fd3c9c0babf89181d1c052e9e71f787252b24939118413a806f7ab6ae1f1621240aedd643787f896b165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
b4e63415435f6ffa1abef80a406f733f

SHA1
8fafa95d3fcd49926ceaf58e97874ce274bc2758

SHA256
fbc0096e2ffe67c7f1df53dff2271ee1287431cde4e37fea4a8280e75c77f8c2

SHA512
e413ff44ca10ec13f72530c905dbd1015a3d97c6a17bfc0eaa37d5d4149be22915ebadbca5b8f1d075e9e00f669886733643010ca3f3437c08a4d1bbbdff670b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
bb838c6e60f8d14f52590db35a1b44dd

SHA1
751a1bda1b2e53d259b2d796263881926d784031

SHA256
0adc8b45500b06e4c7cc2539f760d224d8e0244972cf284e21bc778158bfd07f

SHA512
c5b8c1003b5bef379f8d293df28a5d139c5b3698307118ab7dffbc22ac894dd2b11b643ed7d1997dade2b15d3600c42ed194818693b6700ee2367ddbeed135be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
989ff3e559c7e37c8229b50932dda294

SHA1
b184510ecb7781788c0411b576eeb1b3ed19c500

SHA256
6d59b7cf4ead1a0db5cd2a236c7d0c808db1d489fb20093806cdee7913ee0cbf

SHA512
9dc0f496c4f5b3eea05f368217005a13dfcf3d4c2ea89108f2222e209ad6da3d36b6f5703be856c32a591a226d288aa124d0dc8e27704ed1db12ecade49d533e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
177B

MD5
4aa6e6b21cd2e3217ed8148023193381

SHA1
86b2889359d56373734f26b8756cdd86e4a9f7c2

SHA256
5f48db49453663f5e98d2f00f9a24d705f9750c0d4f266410169d0070b7dd44a

SHA512
404d0650d04a9ce91f00074d17eefa7a761eff56ac7a751ba368c2eb8961988c454c47a5fd8f32b5c6c02e5a159bdf12e1c6521bac8fc2da77a4830bf80ded8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e0b2e760c0b740afa059b78f0029b2fd

SHA1
e350f66c4775317ffba471ab144a92d7ffe10ab9

SHA256
1eb417ae8acdee7b4ba75205a1a47ff851e8035fc387550c9f0daf580a6eb973

SHA512
ecca85113a6a684a85b5666f0c28d96111c5659d65a2716192d56fad2f7061cf492b5ae05c0a0a3859d8a67b7db7a9dbbcdc9f44828d51d38e980b7ee42084f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b8e5c3c617bd5789b783665594ba4ed

SHA1
4f79dad22f124c5ab300728e0d1d6d750aa3bc7c

SHA256
bb157500aaec59b8546cb1b72ecbd11f76bd8902bf99cc7f9005981ad4e33826

SHA512
0ca3b18a5f42d299b7b344ac580f738fc714c8a5409f924f83bcdfeb7c5fd9997893ed37765ff494d2d37b4d185216166b8f4d81a31b423e64acbb144d0774ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a24d2f83cba14caa18314d3cf3d64216

SHA1
80699f3b420c8460728dfd20558368b0d72af3cf

SHA256
6647d5f662abc21448c3db55bb1f55e210e76111e5e8fd3fc1c98904d7686aee

SHA512
8edef3f9d4462c00ac890cfe97b463c6efa0636b1bc12f4653bd02d85364e86ee1211e134a158053522b6a729946285a86066065ae022d4bd48422ffe02dd03f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5f39d8c6e497043e22e63bbdcf4ad777

SHA1
1cd660eebddc8c41211b425d83f53e9a8e64d90e

SHA256
850e79610656ede66369d9fdeab11b8660f9c73937ad7af079aa71c1ee7f25b6

SHA512
09201cd6d3442ae9ec12c5868ea09b98c4d97efa3b406727fa60685721e8f3cc9be60fefc407fb9bf18f1c1be003bcb7c6da359f7bd88eb2b59835e139a6413b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
156B

MD5
fa1af62bdaf3c63591454d2631d5dd6d

SHA1
14fc1fc51a9b7ccab8f04c45d84442ed02eb9466

SHA256
00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d

SHA512
2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
28dfb0ab7ec4860ecafd250d968c0d66

SHA1
352e24c9ace4719e641b40bd445ac9b8cba931a9

SHA256
ef26e33891a1741c93cef9e8822fa6e2c4ae15088bf4cc47739cb108a20a8da6

SHA512
345644ab3a760931040badddb24da6fbd176880dbf14a7f76826da852895f6597ece8faa761e27e15a5e67912867c64b8a15f0a50902f80091a13bdac4d210fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13385426739315671

Filesize
1KB

MD5
50cf0edc3ead3737b19db5e4983894a5

SHA1
e505e94fb4c02d6022be19c29191b5d2a34ee904

SHA256
538844d10e70ccb3cc19693f75a1039b8a5c1e3350a8b53abef564526991f7b7

SHA512
32d5eafb71ab3a19d0610c19c3b0603ff3df8ccc3c34f3e27632d81b7d0d07a383e1675c68905887c550af762397f34c93a0c6bf1fbe68a598a958408cd9dc51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13385426739465671

Filesize
1KB

MD5
5cf1b9da0e8345275657c09927e2a264

SHA1
21329b8f751839afe12180faebf6620fa6899929

SHA256
44523e09c8c2a13cc524f0d9a2ed8210d4c1094476be122106e27293163e06cc

SHA512
3d11239d89f7a3aef1c4cb395955f0513565423a53409b2704c6a6c5cff1a7aa57da31eafbb80a9755a52d2279a2884587395a816df88680bbd405b653d05d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
f743d3332718bf02445337a729a5eedc

SHA1
1c45a5c5a98389ee543d3d5012dd8f8bcd3d55a7

SHA256
fef65b06d96e375a97823e98d89131f8ff3a827b7197bacf98875aee63acaeb0

SHA512
0603c23cdc6697688699f54daeab46178d762feb194916d3c73fc893a661f05f7b08c250c97798e454ddb13ec44c33813c68e015bdc7875689881fdaf13ba714

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
045bc3b5a0cfc828badfb2ad1682ecb0

SHA1
176fb13ee62c78ddc84e6e87957e7e5664af2e57

SHA256
3f0a29f30e3cc35f1b9757fa8c341897f488b27fab026f4cd43ebb462058678d

SHA512
d90a92c567fb6d0ca5fcc4426e77c2dd0c5966a6c6bd1b789b6cbb58ce94c5906888e3bd963322c4516338fa16c03dfd130605ffec9f5742a2bc0bfe7b2fa6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
b675c043219bb2485b85679624f90b7d

SHA1
8b91ac4553bfa4e9aa02e49fe779241ce5ffd16a

SHA256
68321ebfb35288f44469f6c1232d9816a32ce8e787820aa0e0f5a89a265eba03

SHA512
e8b944562f78221c9c609df93b4718169c045f4afdf49eaa9367b999e8a58c9213b7de06e1795ef9c996296429d913ef3b53d27655d4806cd6ad7b6d4fd1fcdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
792fb8e4fcf6d2d7dee4a163a214efa9

SHA1
2d697f92f93b2dab01dde8bf9797d90477b5079d

SHA256
1c0aa39c65dc63bed32774d6bb955919defce3a90f1041b89f92b7cb52770f67

SHA512
f6b946977e19977e5e07b7796d1084c4392e13e71b8cd52ff4d772245127a67f6832fe52592ebe0e0c946dee1b2030d4ef8055e6ef8d094804603d3a8105edaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
139B

MD5
8d02f461bd43705c4ef50b32133e0856

SHA1
a3068bba4e6af79805c092b977c363e4a4438ac8

SHA256
0aef3924838ae3824cfc3fea76ecb13db7a3359cd34c77780db060cdf3a124d8

SHA512
59ef0e0e50c65153945b41158858aa6ef60bd554b98883f3226d8191d7fd720d0b0584c5a0c9793da29a274ae386c6389dc4ba39dbe1ee52aa7635887c335daf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
0706f95f5bffd43408824421f6733e9f

SHA1
66b397d78baf0a1476ebee9ead9d874bb0e78105

SHA256
aa8b4d7405c70c4a0c94f2a42e8677a515c3d04e156cc03a4082f2c3b95b4e11

SHA512
96ad74a7d50491c5905c49d9c499f95aeca73bf1e69a8f60c20dc86993d87b8fa1c9f3c0c63f4f07d2fe39b2108d2bab4eee7c22cae483ee1c9fb158cccf579e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
156B

MD5
939be582c7e9e106ab0be0137eb68dd8

SHA1
4f6b7f2c533b19a6e3da2d49093265005b684926

SHA256
f18497fe1e75aaeedb2309de11bbec4d466de79c00569aea97b029ac7d6cb15d

SHA512
9b06df90a1064d394f2c4dd4f05fcee530e596afb8bbba69ab6fc7ac8be42d06ec25c26854ac5279db191194dc24d13cb212c990881ca72743b3738e2b82150a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
baf5a79951559c2a57d7d919f27c90f0

SHA1
5193fee5136d04009efa0342511d4a00fcbed74d

SHA256
e7232608d5b436ee5790c05a4f111f1aadc91e7827517acf547034851718deb3

SHA512
356218ab9bdd481039ac0cac4bd6b0bdb35361cf24ff996d0a06edf32aea88cbd93b41667f95938d06baf3b0127cc8f7dca70f19501dbcdcfe5df70487e94d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
5672110a44da68eb4b590a4c2ea928f6

SHA1
44807cd12a47286e4b4de89caf629de01528f340

SHA256
1d65c8fe2c1e4f1a3314c20b772773ee131f7948f8856610a70c9e682228e356

SHA512
e0b7f1a328c4bedd0d74f8c7359306af7a58eae9f165e259a3f2f5ce778ae3f42630887b0524535a1b3fb521db5c4dacfd64a283238f41467dedf2c8bc836fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
30a0d8b16d9c3b32b8880f9e95e5605b

SHA1
e0aac3a4b1cd8d73b1b8f00013d0f17a795a2c5d

SHA256
7828de7072ddc5a6c72738ae639e3ee8d1b6150878ffe8eb58a8fe51c0ff4fa7

SHA512
9ccf377c873c2d458a76f10b10a800b122d4cd54ea2cbd0f7b1b5ce0b556a64de5c87c15a9f400ab6b25ccb2233f9b83d9307ad3ee03b96a5370e6ae7f298866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
512b6b822eaaad7f06c0458ec1ad8ee2

SHA1
24989cf7f3ff04b492effa484ac685e283e8d043

SHA256
a0e65869b2fecc74ba314a6ada47284711e488d60a23f0406db9873103b9c1ad

SHA512
2afafd3cda57fd012d462f1a4769c24d3d9952f5b05fb06382190065b2ea2ae2dcf7ecaa0d12bb629aa9f01c487578771dbbd69e24d1df4a07d4c16cf474a7d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
3744daed6a2f83fb779190a13b883830

SHA1
a7ed50570de75efcf6824ae6c7bcb5f7925a50ca

SHA256
03aad93b1e4bbd15becc91520cc93516f701b4096013b794073de2d61965d721

SHA512
3b32f5d2cb9f42aa7f647b52406719eada011185693aaa59496f6909defff1b766bc0f67f57f9ab65354d81ae0a88febdf3f1a962f1c56282c74a00586ce5b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
906bbb84d4398ad4b350015c7b55460f

SHA1
836827431642753f3629033c1742fa1a681f4163

SHA256
e261a87c543b04c97661e98abfb4b436cbee20a1ea8f3e89a489b7fa9482fc20

SHA512
49ed5ff345e56f524f3411811e0b1f6428244e51d858758c9ca1987d9b9ec36cd6970c7cf9ca5404bbc02be32047035c893c64c15dcef7d23837569216969405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7621151c55383f26e061c80279d0eddb

SHA1
3add4455bb9f8e7835f37be6fcd7ca5973798758

SHA256
502f26299cbe8f08bee3ba9d8a0a6539a0013db221b40c07cae5f833a348fc9e

SHA512
f27edbad590e57ee5951feaec2d40f46188e9feca7a52a6ae86aaf4e97194406fb4f258c6fcc3100810a07fe6a14865f4644a5453df07aee6a2d7b232ecff0e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
77efd5f4c185a1bebfcd50c29eb15e0d

SHA1
436f70cc5927e478b36414fa8bc918787efcef57

SHA256
9c1bd81657dd4e0b87aa7f266a6be8377a47ef29a3234074af51c62f57e85a38

SHA512
6464bed72be2a9d3f54d1063d97cb5142df95c322597ad400231056c1f0614b4958bff02b9e4542f6d8df84535fb82c8d23e824c4e67a7cd78bbf0caa675fdc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
6dbaa0c3f46296acbf0caa72ba791f28

SHA1
b28d157abb4811621c7cbf8459af9c892fca4abc

SHA256
3929c7583e7038908e39e26983cfb09addaecd78622ca886479b67e33355e0df

SHA512
55709c389610af8927cbceaf89a9a2a6431f68d5005093e4cf2f177d9b7e79f18e68c64a02088b0d4ae056417e8722d6a1f87f2db439c6141af5307977800e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
16feabb0cd83a29d03ea420fa4bda322

SHA1
12919b206a6aa8817c34d8f1fa621e96d7288454

SHA256
2921fc6bace1d23e11270b7c68e6315e22aefd4d335423306580d058fe53af63

SHA512
44f4f5fce6f288fcd9e725d03e3b473f21a4ec41f2c5ac0a51844e341c58fb5a3a507dbbcb2b54832f664915e2af0307baa2432487a9b140e53f58ac4cc68f75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
30d90d0c82f8a68e52676b619015d028

SHA1
ede19ef729e07a6dd52c981e5a20e72bf93a87e6

SHA256
1faa1a0b47edfc173dfd9ebc717a17e87893d184b6e1d93923f83c773414de11

SHA512
0f8f0f77774a1b3d14437bd1baa6c69281b3c986184ccd7e15bcd93809a8ddcc7db1bab9ba541f88158289c525dd1f52d7e6db19f861aa46c5527c4e37e4aff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
af379e7246200f146cc67db8a4f3eaae

SHA1
d22d7bfb6202578ff1477b00260a780cc03ac6ab

SHA256
345c78a97732effcf823de3d5d99198defbf63a6e5f77497fbe1de2622bbf109

SHA512
26636fd7939222bc5e9e8502fb275c9635b03137321288b812b63c669d3491d84c99a72712013d9fd3f11f21fc32a9e392ffff793f1b171c6a8a57d348720868

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qicpfrvl.sbq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SolaraX.exe

Filesize
82KB

MD5
b201ce5dcb58284da7a5ef6294418e56

SHA1
27573051f80debfd74e1a72d27cfd29f58c76d7e

SHA256
188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed

SHA512
f282f9efa40ce5e753faf803079af9aae478711e6e2f3dcf09c744ae3e670c6ef0cb18b62c8e57ba825faef8c396dd481768ef0680681d4b1b80ad1c3433f11c

Download Submit
memory/2932-12-0x00007FFB23190000-0x00007FFB23C51000-memory.dmp

Filesize
10.8MB

Download
memory/2932-13-0x00007FFB23190000-0x00007FFB23C51000-memory.dmp

Filesize
10.8MB

Download
memory/2932-14-0x00007FFB23190000-0x00007FFB23C51000-memory.dmp

Filesize
10.8MB

Download
memory/2932-17-0x00007FFB23190000-0x00007FFB23C51000-memory.dmp

Filesize
10.8MB

Download
memory/2932-2-0x000001D5EB800000-0x000001D5EB822000-memory.dmp

Filesize
136KB

Download
memory/3156-57-0x00007FFB23193000-0x00007FFB23195000-memory.dmp

Filesize
8KB

Download
memory/3156-58-0x00007FFB23190000-0x00007FFB23C51000-memory.dmp

Filesize
10.8MB

Download
memory/3156-56-0x00007FFB23190000-0x00007FFB23C51000-memory.dmp

Filesize
10.8MB

Download
memory/3156-0-0x00007FFB23193000-0x00007FFB23195000-memory.dmp

Filesize
8KB

Download
memory/3156-1-0x00000000007C0000-0x00000000007DA000-memory.dmp

Filesize
104KB

Download