Overview

overview

10

Static

static

3

Dek Store.exe

windows7-x64

10

Dek Store.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dek Store.exe

  • Size

    4.0MB

  • MD5

    0e24307ddf87b25a3ca7c5301a393633

  • SHA1

    ec28111e105e95f3835f797d7b88b9ffa3f77683

  • SHA256

    78644ac0e1fd8d30748e8980d15a0db7dfcd783e5b7b6f72b71d707d1799e1d9

  • SHA512

    ae032bc7b20914d52deda07fbc50b593605863ebfb92a62c79cb6ea1efc92c14bb42f8abffc69404aca1f0b6dbf4579ab23d0e36189d371929faa7082be2e52b

  • SSDEEP

    98304:pUZUZBlLQ8OLqmRdmgcmqPkGAnSG6qn4HoLVvrW1f:pjHQ8H0mgcRkGpG6wlr8

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

185.84.160.238:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dek Store.exe
    "C:\Users\Admin\AppData\Local\Temp\Dek Store.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Users\Admin\AppData\Roaming\Dek Store.exe
      "C:\Users\Admin\AppData\Roaming\Dek Store.exe"
      2⤵
      • Executes dropped EXE
      PID:4124
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1656
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4884
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4392
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:708
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://m.ea88.win/
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3844
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeab5446f8,0x7ffeab544708,0x7ffeab544718
          4⤵
            PID:2868
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5466237170083826910,6599795545358055320,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
            4⤵
              PID:3128
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5466237170083826910,6599795545358055320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3440
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5466237170083826910,6599795545358055320,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
              4⤵
                PID:4588
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5466237170083826910,6599795545358055320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
                4⤵
                  PID:3436
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5466237170083826910,6599795545358055320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
                  4⤵
                    PID:1272
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5466237170083826910,6599795545358055320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
                    4⤵
                      PID:3560
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5466237170083826910,6599795545358055320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4652
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5466237170083826910,6599795545358055320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
                      4⤵
                        PID:4236
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5466237170083826910,6599795545358055320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
                        4⤵
                          PID:4728
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5466237170083826910,6599795545358055320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
                          4⤵
                            PID:3388
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5466237170083826910,6599795545358055320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
                            4⤵
                              PID:4296
                      • C:\Users\Admin\AppData\Roaming\XClient.exe
                        C:\Users\Admin\AppData\Roaming\XClient.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:780
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:1228
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4504
                          • C:\Users\Admin\AppData\Roaming\XClient.exe
                            C:\Users\Admin\AppData\Roaming\XClient.exe
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3908
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x338 0x254
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4180
                          • C:\Users\Admin\AppData\Roaming\XClient.exe
                            C:\Users\Admin\AppData\Roaming\XClient.exe
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:628

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
                            Filesize

                            654B

                            MD5

                            2ff39f6c7249774be85fd60a8f9a245e

                            SHA1

                            684ff36b31aedc1e587c8496c02722c6698c1c4e

                            SHA256

                            e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                            SHA512

                            1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                            Filesize

                            2KB

                            MD5

                            d85ba6ff808d9e5444a4b369f5bc2730

                            SHA1

                            31aa9d96590fff6981b315e0b391b575e4c0804a

                            SHA256

                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                            SHA512

                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            e443ee4336fcf13c698b8ab5f3c173d0

                            SHA1

                            9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

                            SHA256

                            79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

                            SHA512

                            cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            56a4f78e21616a6e19da57228569489b

                            SHA1

                            21bfabbfc294d5f2aa1da825c5590d760483bc76

                            SHA256

                            d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

                            SHA512

                            c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                            Filesize

                            2KB

                            MD5

                            5d2a43efe60665c6e03ef30192beeecf

                            SHA1

                            d252883a3932a107646ee0b901250a21c95c1915

                            SHA256

                            122121096a7273140460324901d18f798ce5cd5010eb8279792d3f63dca0d8d5

                            SHA512

                            db76dff0fc43ed2bdfd56c62c8c6128e5ddc85a93296f4114642bbdd90491d2dc1daaba2b148549adedfad0b27e87aa39db46a77ba177704a9ba6eca461a1e9e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                            Filesize

                            1KB

                            MD5

                            3ba3e6ad447209bdb35a21d3ceea18fc

                            SHA1

                            58bc7163348876a299486c3ec56a46f813d749de

                            SHA256

                            2748c7ffa832e8061ae420e2205e75a803145fe7da63e55ac7043c1b3b141cd6

                            SHA512

                            e0172349630db732f23ef5199b86dad708a4bfcda6ff60fa1438bbc4cc3e388bfffa77912d9f26c93aec44ae7bee2a4c0143962ec52afc39aa0ebce843a7618f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                            Filesize

                            111B

                            MD5

                            285252a2f6327d41eab203dc2f402c67

                            SHA1

                            acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                            SHA256

                            5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                            SHA512

                            11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            7dd9db1d66ca0b24c2a7b4a24e54d779

                            SHA1

                            dcf20ffb884e7af1e4b69e33ac9e0a0032910b9e

                            SHA256

                            70bf9aff422f1ad4739a914ecd244b3db78ae0faab5d6f54bbfdacbfc3208bfb

                            SHA512

                            e34c3620b58ff28209e166bfbe02075f866fd00eee024a8dc759354f2ca31b624366fd98bc2a1183de8304b2dc6862cf5b0c5230513922eb1250a4d3b83898b3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            1dc7b37f89fd9c2d27a0e118af7484b8

                            SHA1

                            8a738f221a54e48763e06562667612acea931526

                            SHA256

                            5f4999166cf1316a8be48001df264c9ef9694f52cd6d6ecf9f3cc5d908efd3c9

                            SHA512

                            709b5417e85d45a9af03f1b123ae290b5fa652f44dad45ac3e44d866946d63948fc2915ccbebab5d03bf0641b8e694c7afb096da6fee3636168435b0bf4f1afe

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                            Filesize

                            703B

                            MD5

                            e2dbe649aefbfedc01d9f0633f1e75c5

                            SHA1

                            99f37fa632b0be49482ffa07de1a4e9b95bd88a9

                            SHA256

                            09b9fafa468c1e169ad650d1527f533d3d5da5f7c0ae2ec8b35b4c2410f4a0a1

                            SHA512

                            74644e537a90fdec9216e88f881e525016f8caa6c63f81d858b385d43556e83085a7f8780cbde9e67b2444f42ca1f5ec7baf1d93b596bee56ca44f50db8aa138

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f354.TMP
                            Filesize

                            703B

                            MD5

                            4e437edf72857b05e2137128bec0d013

                            SHA1

                            4a9af670044843ca9f4bff3e4523fb78dcbfc38c

                            SHA256

                            8ad4ee523be7edcaaf71fe8251bc2ccf47761fb7cf6502031fd94579d52a42a7

                            SHA512

                            14703a1ffe8cf37fb5e9f323e0299300f9e809e3bf6fb4660b4313d0fdf3d14eb1ed869ea1d8084959df97327552c9a6f66ff23f589733593a34384eaf269c95

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            206702161f94c5cd39fadd03f4014d98

                            SHA1

                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                            SHA256

                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                            SHA512

                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            46295cac801e5d4857d09837238a6394

                            SHA1

                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                            SHA256

                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                            SHA512

                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            10KB

                            MD5

                            46e21eaff7e0fa0eac1996efaac5a722

                            SHA1

                            813bd3937d7533f8adca033a72ebce9c25648a9e

                            SHA256

                            e4a698c130a0573a3ac87c3f259934034d622572fb19783da445b7e436d1f5c4

                            SHA512

                            f031e43d0bf7a0534cca2deaac1368b9ad4e5ed23ed146445d5da480e7edbb49073f71804d3d7049fbe9cc56005c4a7f4496344899195e2cc0ff968bbaef194a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            d28a889fd956d5cb3accfbaf1143eb6f

                            SHA1

                            157ba54b365341f8ff06707d996b3635da8446f7

                            SHA256

                            21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                            SHA512

                            0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            8dab0a8b04c14885b08b19bf6d8803a1

                            SHA1

                            4f4fe2bda305b6a3c609ac6b3a9aaa89ac962e19

                            SHA256

                            a455896ab994dfbba03b54f288381305c8452c439dcd5a981fc0ce1c44d581df

                            SHA512

                            55aa78581e504b54eefd8f96704b6d04c437b3b58237ae4b97d70f58e946a52dc44d6831c4e322f23ab6daf80444e7dccbabb23e08ef4f61ddced1493244ef4e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            ef72c47dbfaae0b9b0d09f22ad4afe20

                            SHA1

                            5357f66ba69b89440b99d4273b74221670129338

                            SHA256

                            692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

                            SHA512

                            7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rpk5lrcl.120.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\tmpE2E9.tmp
                            Filesize

                            100KB

                            MD5

                            1b942faa8e8b1008a8c3c1004ba57349

                            SHA1

                            cd99977f6c1819b12b33240b784ca816dfe2cb91

                            SHA256

                            555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

                            SHA512

                            5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Dek Store.exe
                            Filesize

                            3.9MB

                            MD5

                            2f6e9c0dd1c6859a9d6e7acea1db9ac0

                            SHA1

                            b0dcd2be62b6a559e479de7745ab0988b8b30522

                            SHA256

                            122e3cb0f2ad233d1a364911d433667e7778f00d9a7d10b954c994f4e8093d1f

                            SHA512

                            fe3634f46afd5b45f0ffc721a18b5ef1b1344b548f90b8c54ea6995e3d64b7394b56c681b1a0522b67e862fce9d8333b621612a2f03708e7dbc917a28c58c15d

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\XClient.exe
                            Filesize

                            73KB

                            MD5

                            3d573feda95c5c6a254f61034e53f4ea

                            SHA1

                            4177fff9b6ef7fae2481f21cac340e4e9cf60c61

                            SHA256

                            6fd492c927c9c204f24a0948170bb70a5720c19e355ba79213ee60e45b535382

                            SHA512

                            6831d0581ce5af676269d1549d2ccf4947e3357c20b3d1452d0817b6b57ffa4fb9305704b03e38bfdfebc089489fc3e24388b29d9c73ec30cf11bd0c796e1bd3

                            Download Submit

                          • memory/224-24-0x00007FFEAEC20000-0x00007FFEAF6E1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/224-632-0x000000001C110000-0x000000001C14A000-memory.dmp

                            Filesize

                            232KB

                            Download

                          • memory/224-76-0x0000000001620000-0x000000000162C000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/224-23-0x00007FFEAEC20000-0x00007FFEAF6E1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/224-647-0x000000001C150000-0x000000001C1DE000-memory.dmp

                            Filesize

                            568KB

                            Download

                          • memory/224-22-0x0000000000E40000-0x0000000000E58000-memory.dmp

                            Filesize

                            96KB

                            Download

                          • memory/224-73-0x00007FFEAEC20000-0x00007FFEAF6E1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/224-72-0x00007FFEAEC20000-0x00007FFEAF6E1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1656-34-0x0000023940B90000-0x0000023940BB2000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/4484-0-0x00007FFEAEC23000-0x00007FFEAEC25000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/4484-1-0x0000000000050000-0x000000000044C000-memory.dmp

                            Filesize

                            4.0MB

                            Download