Overview

overview

10

Static

static

10

X.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1049s
  • max time network
    1050s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2025, 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    X.exe

  • Size

    82KB

  • MD5

    b201ce5dcb58284da7a5ef6294418e56

  • SHA1

    27573051f80debfd74e1a72d27cfd29f58c76d7e

  • SHA256

    188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed

  • SHA512

    f282f9efa40ce5e753faf803079af9aae478711e6e2f3dcf09c744ae3e670c6ef0cb18b62c8e57ba825faef8c396dd481768ef0680681d4b1b80ad1c3433f11c

  • SSDEEP

    1536:D2wgD0/WhgBpRCn3wtSD+bQ6QqTMj34Al6G4tIzOasNnP6UO:ywkeWQCn1+bQdjrytuOa6Sz

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:36623

fax-scenarios.gl.at.ply.gg:36623
Attributes
  • Install_directory

    %AppData%

  • install_file

    SolaraX.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 18 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\X.exe
    "C:\Users\Admin\AppData\Local\Temp\X.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SolaraX.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraX.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SolaraX" /tr "C:\Users\Admin\AppData\Roaming\SolaraX.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4152
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://roblox.com/
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc6bb46f8,0x7ffcc6bb4708,0x7ffcc6bb4718
        3⤵
          PID:3692
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
          3⤵
            PID:4180
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1392
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
            3⤵
              PID:3124
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
              3⤵
                PID:684
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
                3⤵
                  PID:2816
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
                  3⤵
                    PID:1692
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
                    3⤵
                      PID:3608
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1768
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
                      3⤵
                        PID:1272
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
                        3⤵
                          PID:2872
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
                          3⤵
                            PID:448
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
                            3⤵
                              PID:3016
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
                              3⤵
                                PID:4660
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
                                3⤵
                                  PID:4756
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16384698466634848635,14869669700163084085,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5844 /prefetch:2
                                  3⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:744
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://gmail.com/
                                2⤵
                                  PID:2304
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc6bb46f8,0x7ffcc6bb4708,0x7ffcc6bb4718
                                    3⤵
                                      PID:800
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:60
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:452
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:376
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4020
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2572
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:396
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4796
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3272
                                • C:\Windows\system32\AUDIODG.EXE
                                  C:\Windows\system32\AUDIODG.EXE 0x464 0x2f8
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3540
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2140
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1964
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4308
                                • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2552
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4064
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:4996
                                    • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:556
                                    • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3688
                                    • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1272
                                    • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2292
                                    • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1232
                                    • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4132

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraX.exe.log
                                      Filesize

                                      654B

                                      MD5

                                      2ff39f6c7249774be85fd60a8f9a245e

                                      SHA1

                                      684ff36b31aedc1e587c8496c02722c6698c1c4e

                                      SHA256

                                      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                      SHA512

                                      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                      Filesize

                                      2KB

                                      MD5

                                      d85ba6ff808d9e5444a4b369f5bc2730

                                      SHA1

                                      31aa9d96590fff6981b315e0b391b575e4c0804a

                                      SHA256

                                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                      SHA512

                                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      56361f50f0ee63ef0ea7c91d0c8b847a

                                      SHA1

                                      35227c31259df7a652efb6486b2251c4ee4b43fc

                                      SHA256

                                      7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

                                      SHA512

                                      94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      0621e31d12b6e16ab28de3e74462a4ce

                                      SHA1

                                      0af6f056aff6edbbc961676656d8045cbe1be12b

                                      SHA256

                                      1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

                                      SHA512

                                      bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                      Filesize

                                      2KB

                                      MD5

                                      4e81e799b0e624481a7d267e9031ab20

                                      SHA1

                                      9d6036191ed68a102682e1921c040fd7afa49656

                                      SHA256

                                      379cff777bb591af8a9575ae82c9379d0404271988e6a96e4cecf371db8145c1

                                      SHA512

                                      6e132dcd15c3e6eb9f633d81d8630fc9a2c98e573e34ac4675d74f40fc0dcc55bcd88397d30c378c15db7bbf0dcb25b527ead6e490475690858b802086d2651b

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                      Filesize

                                      111B

                                      MD5

                                      285252a2f6327d41eab203dc2f402c67

                                      SHA1

                                      acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                      SHA256

                                      5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                      SHA512

                                      11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                      Filesize

                                      1KB

                                      MD5

                                      c5bb6bd57e45ee7a58b43fa1ef9db164

                                      SHA1

                                      6a7f78a38a747a6d40ffb968c2b9ebb1e8ad75fc

                                      SHA256

                                      deb7125229e448ba5107860af13af3e2d8d65677c106d3012342d38bbb40938b

                                      SHA512

                                      3fc39f014f70e8462e548d37793ebf28164be16e19566af676e89c64090d0cda691867116baad856032231752ab0da900bd0f5cb0420aa35c7a56a6cb17f7526

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                      Filesize

                                      1KB

                                      MD5

                                      0f20806abaa47b8f4d638c5cb9fefed1

                                      SHA1

                                      ea640e289e43e540d23240430ef1f040a50ea967

                                      SHA256

                                      921f88bba52bfdff2df15837e59a76bbebb73afc1a42559b39b52e2c36bb4f12

                                      SHA512

                                      427070a140276a4ec3549076dc27523c3df83429afe3d3ec54ff42bb690b63751df42ba1e7a97e54122d7ed23acf4a987c3d75e9dc31040e8cb0740c68690715

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      5KB

                                      MD5

                                      1a5de438a4f57de316da6a3e963c0816

                                      SHA1

                                      ae6c5a5c659cc9c3d0ca1bb4aeb433ac3bb37da0

                                      SHA256

                                      00cf4d30fd1da37fd3cd18e289bd5ed90931120f1957019e647f4b5d395397b6

                                      SHA512

                                      58d024d2c2b34f831ac22ecb62c83a1597ed2521dc0ce18b719c922c52e824a566bc7d51fbc247aa03b180f0099b6d56c0f096a3fc6f349204c6b254a7511109

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      7KB

                                      MD5

                                      114da867912df626ce8a2744becd14f5

                                      SHA1

                                      95ed6399c72ca5275c2c387d1c9a7478f60c403b

                                      SHA256

                                      1ce5f3eba34330f86105588d75af2359addf0d4879fc2be53b554555bd07cc09

                                      SHA512

                                      50526b66ab3c88cfbeff4aac6c920df310b2c0147002f9eb114aaa9535c947329a6ccb58f498edbe00f426a2360d97e851788e7546c10fec0aafee7755eb1447

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      421ae6f23ef53e439a62804b354e3ad0

                                      SHA1

                                      b9ac691c0f04b629595629adbe853a5d18acfd74

                                      SHA256

                                      4b3b35396330cb77e10209b579c2ee66531e207a8ad37e4c8f4ba7f1c318c78c

                                      SHA512

                                      4b30042cf9ad7b53c770728a3b8eaa810540bffa220f2cafb71997dec24d4891837e61c8c307020721d58f6884fe4a74e2c29e7f6eeced882a02317c0e6a3087

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                      Filesize

                                      1KB

                                      MD5

                                      eb74a71f1810fadd5a1e7fa763996d67

                                      SHA1

                                      cf5fcb03e7b515070c0b4afbe951af4fab21404a

                                      SHA256

                                      07341d945c3b86888d6ced97fdfc7907f841e013faffea62e60b3cf2c0ab3a58

                                      SHA512

                                      2d3ffa41847f43c2f6375ac3033d9b966c64b7ee41e5c28f15b743f1f4f26e5e610b6aa4ca26b68dd949d657b3eaef73f5ab6396a4950f40d98b4efccdb28d81

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                      Filesize

                                      1KB

                                      MD5

                                      f2fa3483d9829192fd98a58dc436e588

                                      SHA1

                                      f204f7a6c1a7df2165b29f06f51c53b94229e2d0

                                      SHA256

                                      f586a03a3c4790c025706d4318523af6e78783bbcbb4553d5b31c47d7b4983d9

                                      SHA512

                                      bfb6a0d81e771260d9ea320adb6ae718fd23ddb70cf5ca9c422c6ce891b689a1cbfdf794a8827e05277165acd7b35c57fcbf49a2d7a76b868655707cd51c5e01

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                      Filesize

                                      1KB

                                      MD5

                                      82ed432ed0f27407163c4d563740f0ab

                                      SHA1

                                      98f8f15e536e77dc28b6af6bc0812bc7cab2485a

                                      SHA256

                                      126bea66d90b15137b72551cdbe351a25d04ac29ec2ab10e79e1193599b2cab8

                                      SHA512

                                      d2e0a7f8391a6d75330027e790fc0263dba7400a8e16dcf99c015fa0973677011175179cdb2028356cd0d1012405d13ad1d089d26ec47280a24be6c251db556d

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe62a88f.TMP
                                      Filesize

                                      1KB

                                      MD5

                                      3a3e528aa75fd8178bf6a6ce94929eed

                                      SHA1

                                      c931142645932419f838068e35878d9f4c12a131

                                      SHA256

                                      3f4a2daccdf6715b8a6d81d5b5721a978bce05ce5e40b22361f4e5e102a37cd9

                                      SHA512

                                      ab341d0d0593f0e03a56e83e5f4f87dd53e9f51cdc6523fd553ca31cbcac6800632c66e0df42685ad3ee2a83f2baa95358fbb89b4622447f21a5ad3ddf4d84f5

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      11KB

                                      MD5

                                      9254edc72686e85b6f427d81e99b64bc

                                      SHA1

                                      e10cfaec5344586d7095c1a1bbcde2d85daae214

                                      SHA256

                                      9dd870cef2f00d54a269e549ec6c209a399c3cc2e3313aa5fa2e632064d8f53a

                                      SHA512

                                      e01aeaa2895d0e85429b8944a9fd4d8de977f0612cd5ec7d33ea618eda4f2225d6731d4ef61a2bbeb2ae9ab785468eaec3d13f771c66c59ee5224926a1ad242c

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      944B

                                      MD5

                                      3a6bad9528f8e23fb5c77fbd81fa28e8

                                      SHA1

                                      f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                      SHA256

                                      986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                      SHA512

                                      846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      944B

                                      MD5

                                      d66078cfc91eb0328389f2a488ad735e

                                      SHA1

                                      c532c251856d3220593e975fc9bac92bcb54e33a

                                      SHA256

                                      d03d6d2b24b2011d0a12b9956eaa7a1180b92e2243834f37424efad928ef54bc

                                      SHA512

                                      372dfc58d94ab8343f599175b0dc645b4fd7b9eadd36480ca78fc8c745198a0fc80b35bd040c52096fc53654c4815b93745ef515c1cf11bd8d821eb910c69cea

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      944B

                                      MD5

                                      b51dc9e5ec3c97f72b4ca9488bbb4462

                                      SHA1

                                      5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

                                      SHA256

                                      976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

                                      SHA512

                                      0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tk2yjl5p.0v3.ps1
                                      Filesize

                                      60B

                                      MD5

                                      d17fe0a3f47be24a6453e9ef58c94641

                                      SHA1

                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                      SHA256

                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                      SHA512

                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\tmp370C.tmp
                                      Filesize

                                      100KB

                                      MD5

                                      1b942faa8e8b1008a8c3c1004ba57349

                                      SHA1

                                      cd99977f6c1819b12b33240b784ca816dfe2cb91

                                      SHA256

                                      555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

                                      SHA512

                                      5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

                                      Download Submit

                                    • C:\Users\Admin\AppData\Roaming\SolaraX.exe
                                      Filesize

                                      82KB

                                      MD5

                                      b201ce5dcb58284da7a5ef6294418e56

                                      SHA1

                                      27573051f80debfd74e1a72d27cfd29f58c76d7e

                                      SHA256

                                      188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed

                                      SHA512

                                      f282f9efa40ce5e753faf803079af9aae478711e6e2f3dcf09c744ae3e670c6ef0cb18b62c8e57ba825faef8c396dd481768ef0680681d4b1b80ad1c3433f11c

                                      Download Submit

                                    • memory/1604-0-0x00007FFCCAC53000-0x00007FFCCAC55000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/1604-77-0x000000001CFE0000-0x000000001D06E000-memory.dmp

                                      Filesize

                                      568KB

                                      Download

                                    • memory/1604-57-0x00007FFCCAC53000-0x00007FFCCAC55000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/1604-56-0x00007FFCCAC50000-0x00007FFCCB711000-memory.dmp

                                      Filesize

                                      10.8MB

                                      Download

                                    • memory/1604-67-0x0000000000A40000-0x0000000000A4C000-memory.dmp

                                      Filesize

                                      48KB

                                      Download

                                    • memory/1604-78-0x0000000000D20000-0x0000000000D2E000-memory.dmp

                                      Filesize

                                      56KB

                                      Download

                                    • memory/1604-1-0x00000000003F0000-0x000000000040A000-memory.dmp

                                      Filesize

                                      104KB

                                      Download

                                    • memory/1604-71-0x000000001B750000-0x000000001B78A000-memory.dmp

                                      Filesize

                                      232KB

                                      Download

                                    • memory/1604-58-0x00007FFCCAC50000-0x00007FFCCB711000-memory.dmp

                                      Filesize

                                      10.8MB

                                      Download

                                    • memory/2000-2-0x000001A669DC0000-0x000001A669DE2000-memory.dmp

                                      Filesize

                                      136KB

                                      Download

                                    • memory/2000-12-0x00007FFCCAC50000-0x00007FFCCB711000-memory.dmp

                                      Filesize

                                      10.8MB

                                      Download

                                    • memory/2000-13-0x00007FFCCAC50000-0x00007FFCCB711000-memory.dmp

                                      Filesize

                                      10.8MB

                                      Download

                                    • memory/2000-17-0x00007FFCCAC50000-0x00007FFCCB711000-memory.dmp

                                      Filesize

                                      10.8MB

                                      Download

                                    • memory/2000-14-0x00007FFCCAC50000-0x00007FFCCB711000-memory.dmp

                                      Filesize

                                      10.8MB

                                      Download