37a22a8adb289aa01b0a682fdea97105ac4df1bf6744fef205f5024405c1db55

Analysis

max time kernel
300s
max time network
299s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-10-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xdwd.exe
Size

3.0MB
MD5

40887369c101155d2cb098a476c144a3
SHA1

7e5b376f1ed70c3fbfd34441a0c784b033191628
SHA256

37a22a8adb289aa01b0a682fdea97105ac4df1bf6744fef205f5024405c1db55
SHA512

a2870dcdc06f0523bd909760740b23392c5285f15b8bfc6738cc8ace46ff571f2db42cf4d3555fcdcd4902b07fd34bd3ed5cfc2802e7eec5ac82e07b258626df
SSDEEP

49152:tefEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmAX8rZz:teftODUKTslWp2MpbfGGilIJPypSbxEY

Score

10^/10

defense_evasion evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1144-24-0x000000001CBE0000-0x000000001CBEA000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	xdwd.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xdwd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	xdwd.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xdwd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1888	powershell.exe
2808	powershell.exe
216	powershell.exe
2116	powershell.exe
1912	powershell.exe
3400	powershell.exe
664	powershell.exe
3184	powershell.exe
1896	powershell.exe
3024	powershell.exe
2696	powershell.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	xdwd.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	xdwd.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xdwd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	xdwd.exe
File created	C:\Windows\assembly\Desktop.ini	xdwd.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	xdwd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1472	powershell.exe
1472	powershell.exe
1912	powershell.exe
2116	powershell.exe
1888	powershell.exe
3400	powershell.exe
3400	powershell.exe
664	powershell.exe
664	powershell.exe
1896	powershell.exe
1896	powershell.exe
3024	powershell.exe
3024	powershell.exe
3184	powershell.exe
3184	powershell.exe
2696	powershell.exe
2696	powershell.exe
2808	powershell.exe
2808	powershell.exe
2696	powershell.exe
1912	powershell.exe
1912	powershell.exe
3184	powershell.exe
3024	powershell.exe
2116	powershell.exe
2116	powershell.exe
216	powershell.exe
216	powershell.exe
1888	powershell.exe
1888	powershell.exe
3400	powershell.exe
664	powershell.exe
1896	powershell.exe
2808	powershell.exe
216	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeIncreaseQuotaPrivilege	1472	powershell.exe
Token: SeSecurityPrivilege	1472	powershell.exe
Token: SeTakeOwnershipPrivilege	1472	powershell.exe
Token: SeLoadDriverPrivilege	1472	powershell.exe
Token: SeSystemProfilePrivilege	1472	powershell.exe
Token: SeSystemtimePrivilege	1472	powershell.exe
Token: SeProfSingleProcessPrivilege	1472	powershell.exe
Token: SeIncBasePriorityPrivilege	1472	powershell.exe
Token: SeCreatePagefilePrivilege	1472	powershell.exe
Token: SeBackupPrivilege	1472	powershell.exe
Token: SeRestorePrivilege	1472	powershell.exe
Token: SeShutdownPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeSystemEnvironmentPrivilege	1472	powershell.exe
Token: SeRemoteShutdownPrivilege	1472	powershell.exe
Token: SeUndockPrivilege	1472	powershell.exe
Token: SeManageVolumePrivilege	1472	powershell.exe
Token: 33	1472	powershell.exe
Token: 34	1472	powershell.exe
Token: 35	1472	powershell.exe
Token: 36	1472	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeIncreaseQuotaPrivilege	2696	powershell.exe
Token: SeSecurityPrivilege	2696	powershell.exe
Token: SeTakeOwnershipPrivilege	2696	powershell.exe
Token: SeLoadDriverPrivilege	2696	powershell.exe
Token: SeSystemProfilePrivilege	2696	powershell.exe
Token: SeSystemtimePrivilege	2696	powershell.exe
Token: SeProfSingleProcessPrivilege	2696	powershell.exe
Token: SeIncBasePriorityPrivilege	2696	powershell.exe
Token: SeCreatePagefilePrivilege	2696	powershell.exe
Token: SeBackupPrivilege	2696	powershell.exe
Token: SeRestorePrivilege	2696	powershell.exe
Token: SeShutdownPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeSystemEnvironmentPrivilege	2696	powershell.exe
Token: SeRemoteShutdownPrivilege	2696	powershell.exe
Token: SeUndockPrivilege	2696	powershell.exe
Token: SeManageVolumePrivilege	2696	powershell.exe
Token: 33	2696	powershell.exe
Token: 34	2696	powershell.exe
Token: 35	2696	powershell.exe
Token: 36	2696	powershell.exe
Token: SeIncreaseQuotaPrivilege	1912	powershell.exe
Token: SeSecurityPrivilege	1912	powershell.exe
Token: SeTakeOwnershipPrivilege	1912	powershell.exe
Token: SeLoadDriverPrivilege	1912	powershell.exe
Token: SeSystemProfilePrivilege	1912	powershell.exe
Token: SeSystemtimePrivilege	1912	powershell.exe
Token: SeProfSingleProcessPrivilege	1912	powershell.exe
Token: SeIncBasePriorityPrivilege	1912	powershell.exe
Token: SeCreatePagefilePrivilege	1912	powershell.exe
Token: SeBackupPrivilege	1912	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1144	xdwd.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1144	xdwd.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1852	1144	xdwd.exe	81
PID 1144 wrote to memory of 1852	1144	xdwd.exe	81
PID 1852 wrote to memory of 4872	1852	csc.exe	83
PID 1852 wrote to memory of 4872	1852	csc.exe	83
PID 1144 wrote to memory of 1472	1144	xdwd.exe	84
PID 1144 wrote to memory of 1472	1144	xdwd.exe	84
PID 1144 wrote to memory of 2116	1144	xdwd.exe	87
PID 1144 wrote to memory of 2116	1144	xdwd.exe	87
PID 1144 wrote to memory of 1912	1144	xdwd.exe	88
PID 1144 wrote to memory of 1912	1144	xdwd.exe	88
PID 1144 wrote to memory of 1888	1144	xdwd.exe	91
PID 1144 wrote to memory of 1888	1144	xdwd.exe	91
PID 1144 wrote to memory of 3400	1144	xdwd.exe	93
PID 1144 wrote to memory of 3400	1144	xdwd.exe	93
PID 1144 wrote to memory of 664	1144	xdwd.exe	95
PID 1144 wrote to memory of 664	1144	xdwd.exe	95
PID 1144 wrote to memory of 3184	1144	xdwd.exe	97
PID 1144 wrote to memory of 3184	1144	xdwd.exe	97
PID 1144 wrote to memory of 1896	1144	xdwd.exe	99
PID 1144 wrote to memory of 1896	1144	xdwd.exe	99
PID 1144 wrote to memory of 3024	1144	xdwd.exe	101
PID 1144 wrote to memory of 3024	1144	xdwd.exe	101
PID 1144 wrote to memory of 2696	1144	xdwd.exe	103
PID 1144 wrote to memory of 2696	1144	xdwd.exe	103
PID 1144 wrote to memory of 2808	1144	xdwd.exe	105
PID 1144 wrote to memory of 2808	1144	xdwd.exe	105
PID 1144 wrote to memory of 216	1144	xdwd.exe	107
PID 1144 wrote to memory of 216	1144	xdwd.exe	107

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	xdwd.exe

C:\Users\Admin\AppData\Local\Temp\xdwd.exe
"C:\Users\Admin\AppData\Local\Temp\xdwd.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1144
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uysgthkx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFC4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCFC3.tmp"
    3⤵
    PID:4872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f1bf4207c100442afb6f174495b7e10

SHA1
77ab64a201e4c57bbda4f0c3306bee76e9513b44

SHA256
c7787523a0e006d3ef2401f20248f6cfa69769804d402b75e04fcec463741f4d

SHA512
29bdea5620c07bae69fa2bbd9c198b7309dbd275a1251ee306e2eb28584d0c40f3d112b4c91b281fe722e711ceef0f4cdf0bd72118a54e263f6500bcf9040d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCFC4.tmp

Filesize
1KB

MD5
ce4457a659aa489afd1b6b6ff520d8e2

SHA1
3ce440a2d2f350a83837c8abd276230b61a793f8

SHA256
5df0be364bdec410a2b66e76561312237a36a0a3a9024cf403adc0192dbc546a

SHA512
f64dbd5daf2ac228cf4b42e3f952dc90c2ef74761013e84ca063ae3b7df0d53235a978673c31c8e69f58cbee33c1b04ab6d0c1c534521a510481216675662e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bdnv5imk.snj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\uysgthkx.dll

Filesize
76KB

MD5
a7f965859ed737b3f12243ed0b657f80

SHA1
6e466a584c75b287f016b1f647ed248679d640dc

SHA256
539b772ddb206890af6752ca9ac62157b8ec67c14a6609cc3f90617e6707a593

SHA512
a33ca5c83025d40b2d5010c4ffb05068f23e0c305b63340a41533c7cddc0b89f59cb1fc48c00cd9852141827ed1f1771435ca2f752f662bcb40d8fa3c92004a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCFC3.tmp

Filesize
676B

MD5
4c5741f1d3366a860ead4c84b6e8deae

SHA1
baf2de8e7089b592b5d3a00367cd15f3c902f576

SHA256
a22a4b02fd9d9fb319f24f3bf3878eb42757bcf5a9a703cdd7389d387efc118e

SHA512
60b0b0a85252712523b2cdd4557a579a12e736b62b6000ce3ae087e4a65673e075363697e08ab6b83ffbe66287e77822732bd02f4620dc69fe96579d411f0a04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uysgthkx.0.cs

Filesize
208KB

MD5
20f103b203d0cf2a7018d4037986daae

SHA1
8e8f178da94aaddacb2242210caa8ae5bb8f6afd

SHA256
0eaa9688abd1876e13bd7d63846cc5c360eb70fc30f5df0eb8d8578ee5d2421b

SHA512
89fd04ed62054febfc7c5b6209295561d4297434c53285c85ecd3e07fc84beb353f0556ec0733627d644a13679c1b148613367b48ac4cd5348c10b5d21994438

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uysgthkx.cmdline

Filesize
349B

MD5
4e214244f561d279063fcdf64bd31d14

SHA1
bb1ef5698ec3bad573468cf2e4d4e3cc5aff3545

SHA256
38f0ae3de8562531feb16af0be04d01ee5f653004745ec1fa060ee8a23c8e3a0

SHA512
bfb514c64aa86a6ec1c4811db8f42d27e230247860a7d84d8e017c3243b4a7302c7a624df6187a612fd3a31413d730a9b2ba58240749759d22fce29e5a857dcb

Download Submit
memory/1144-24-0x000000001CBE0000-0x000000001CBEA000-memory.dmp

Filesize
40KB

Download
memory/1144-47-0x00007FFC7A030000-0x00007FFC7A9D1000-memory.dmp

Filesize
9.6MB

Download
memory/1144-1-0x00007FFC7A030000-0x00007FFC7A9D1000-memory.dmp

Filesize
9.6MB

Download
memory/1144-2-0x000000001BCF0000-0x000000001BD4C000-memory.dmp

Filesize
368KB

Download
memory/1144-6-0x000000001CB40000-0x000000001CBDC000-memory.dmp

Filesize
624KB

Download
memory/1144-23-0x000000001CC30000-0x000000001CC42000-memory.dmp

Filesize
72KB

Download
memory/1144-0-0x00007FFC7A2E5000-0x00007FFC7A2E6000-memory.dmp

Filesize
4KB

Download
memory/1144-25-0x000000001D170000-0x000000001D188000-memory.dmp

Filesize
96KB

Download
memory/1144-26-0x00000000018F0000-0x0000000001900000-memory.dmp

Filesize
64KB

Download
memory/1144-149-0x00007FFC7A030000-0x00007FFC7A9D1000-memory.dmp

Filesize
9.6MB

Download
memory/1144-5-0x000000001C5D0000-0x000000001CA9E000-memory.dmp

Filesize
4.8MB

Download
memory/1144-3-0x00000000018B0000-0x00000000018BE000-memory.dmp

Filesize
56KB

Download
memory/1144-75-0x000000001D1B0000-0x000000001D1B8000-memory.dmp

Filesize
32KB

Download
memory/1144-4-0x00007FFC7A030000-0x00007FFC7A9D1000-memory.dmp

Filesize
9.6MB

Download
memory/1144-21-0x000000001CC40000-0x000000001CC56000-memory.dmp

Filesize
88KB

Download
memory/1144-45-0x00007FFC7A2E5000-0x00007FFC7A2E6000-memory.dmp

Filesize
4KB

Download
memory/1472-44-0x00007FFC777A0000-0x00007FFC78262000-memory.dmp

Filesize
10.8MB

Download
memory/1472-41-0x00007FFC777A0000-0x00007FFC78262000-memory.dmp

Filesize
10.8MB

Download
memory/1472-40-0x00007FFC777A0000-0x00007FFC78262000-memory.dmp

Filesize
10.8MB

Download
memory/1472-39-0x000002753C660000-0x000002753C682000-memory.dmp

Filesize
136KB

Download
memory/1472-29-0x00007FFC777A3000-0x00007FFC777A5000-memory.dmp

Filesize
8KB

Download
memory/1852-14-0x00007FFC7A030000-0x00007FFC7A9D1000-memory.dmp

Filesize
9.6MB

Download
memory/1852-19-0x00007FFC7A030000-0x00007FFC7A9D1000-memory.dmp

Filesize
9.6MB

Download