Analysis
-
max time kernel
32s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
20-05-2024 00:30
General
-
Target
kdmapper.exe
-
Size
254KB
-
MD5
dcfdbaa3781a119c895bbbe8bcdff46f
-
SHA1
8e659d9d374c760b154e164acf2ae3b06fc63710
-
SHA256
a8d80919d86fec3e163f03f55f10fc0597d1605c230c44d5b39d93c7f35fbb5c
-
SHA512
72c279f4d1bb22e203fb0686fd08c52e09c1cf3a6a069a65ff2be61e4bdfc0ba58bca3777cf5c3a48527eaedf9e719bc8ebfe1a64c223a3854ff62688e7d6f78
-
SSDEEP
6144:k9G5JrD89A32tvPHilDRfc8t0hVkPn9TsNwAJQ:7JrD89akvm9f5OVkFAN9JQ
Malware Config
Extracted
xworm
45.88.90.228:7000
178.215.236.228:7000
-
Install_directory
%ProgramData%
-
install_file
RtkAudUService64.exe
Signatures
-
Detect Neshta payload 46 IoCs
-
Detect Xworm Payload 2 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 10 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~3\kdmapper.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~3\kdmapper.exeC:\PROGRA~3\kdmapper.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\PROGRA~3\kdmapper.exe'5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\PROGRA~3\kdmapper.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kdmapper.exe'5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kdmapper.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RtkAudUService64.exe'5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RtkAudUService64.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RtkAudUService64" /tr "C:\ProgramData\RtkAudUService64.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn RtkAudUService64 /tr C:\ProgramData\RtkAudUService64.exe6⤵
- Creates scheduled task(s)
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\KEYAUT~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\KEYAUT~1.EXEC:\Users\Admin\AppData\Roaming\KEYAUT~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEFilesize
127KB
MD502c064bea2cf9da44904c9a1ecb61c48
SHA175b874030dc2300f6663ba70e3bb5b4475e4b89c
SHA2563ed504ee3804fdd067bf02599ae9d41ef0f795f9f6f5ae1038e25578d0230f0a
SHA512fb8aa2bba96efa28fd56ccf5bb0d2505c13d4b98740ad3f5c1b8b0ea131ebd4f9e9822d259e9c96ec595c5843f908f12b51880a8d4c366721591e89c830a5ce8
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEFilesize
183KB
MD59dfcdd1ab508b26917bb2461488d8605
SHA14ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA5121afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEFilesize
454KB
MD5bcd0f32f28d3c2ba8f53d1052d05252d
SHA1c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA51279f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exeFilesize
1.2MB
MD5d47ed8961782d9e27f359447fa86c266
SHA1d37d3f962c8d302b18ec468b4abe94f792f72a3b
SHA256b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a
SHA5123e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exeFilesize
1.2MB
MD5e316c67c785d3e39e90341b0bbaac705
SHA17ffd89492438a97ad848068cfdaab30c66afca35
SHA2564fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478
SHA51225ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exeFilesize
773KB
MD5e7a27a45efa530c657f58fda9f3b9f4a
SHA16c0d29a8b75574e904ab1c39fc76b39ca8f8e461
SHA256d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5
SHA5120c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54
-
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exeFilesize
325KB
MD50511abca39ed6d36fff86a8b6f2266cd
SHA1bfe55ac898d7a570ec535328b6283a1cdfa33b00
SHA25676ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8
SHA5126608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346
-
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exeFilesize
325KB
MD56f87ccb8ab73b21c9b8288b812de8efa
SHA1a709254f843a4cb50eec3bb0a4170ad3e74ea9b3
SHA25614e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22
SHA512619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee
-
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exeFilesize
546KB
MD50f2a15d7f0ba496847dfeac5f2aee9f2
SHA18c6fba98c42dc86d53f6ff1ec7db22683982203b
SHA256ca787720bbe943d0315c1aa9c3b05b63c8def624801512a39f671692c6a37366
SHA51223826e69106884d3d86ab81a720d890f2abdd7bee3ce8bffc2e126830128f00e4ec1a050ed725da17b53c0052bc24e2f15cd1643ab1f909e72a15df842858b98
-
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXEFilesize
230KB
MD5e5589ec1e4edb74cc7facdaac2acabfd
SHA19b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA2566ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a
-
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXEFilesize
207KB
MD53b0e91f9bb6c1f38f7b058c91300e582
SHA16e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA25657c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f
-
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXEFilesize
439KB
MD5400836f307cf7dbfb469cefd3b0391e7
SHA17af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXEFilesize
139KB
MD5a15016441259c3704235b7c1cb654d06
SHA1c9277f066c26446758df4fff5045a367f2a799ce
SHA256d2c00ac573df0c4eb408c4cba1add7e24bd0ce3fb151b943e1a924f88b5d4595
SHA512f4b1c0c5693a5f1d847d3ef8a6cc45ac5c87a763439605ad5bc5bfbcf05ad5911ef250639585233a1c73bd35a591b4fb7ef9bde841db8d9334998759fd0b8d17
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXEFilesize
1.6MB
MD57abe22be5c0dcb7e9632a304429772eb
SHA1bf3cc17af14b6a3384162809def0460b57af8896
SHA2561b3f3a1c7786f24e3b4b446cb6ca9e2c78a04c95f7e77a071a70c1def07d46cb
SHA5127f9c0af509b1fc9a19b7ccbd6c8ecdd3e86a829ea7d5deee117aec483a9d82fd899633a45708c99aca04c3b03d6fd5918b286eb4a996bac76bcd1a4281d1c824
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exeFilesize
250KB
MD55d656c152b22ddd4f875306ca928243a
SHA1177ff847aa898afa1b786077ae87b5ae0c7687c7
SHA2564d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69
SHA512d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXEFilesize
1.1MB
MD5301d7f5daa3b48c83df5f6b35de99982
SHA117e68d91f3ec1eabde1451351cc690a1978d2cd4
SHA256abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee
SHA5124a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXEFilesize
1.1MB
MD55c78384d8eb1f6cb8cb23d515cfe7c98
SHA1b732ab6c3fbf2ded8a4d6c8962554d119f59082e
SHA2569abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564
SHA51299324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exeFilesize
3.2MB
MD55119e350591269f44f732b470024bb7c
SHA14ccd48e4c6ba6e162d1520760ee3063e93e2c014
SHA2562b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873
SHA512599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4
-
C:\ProgramData\kdmapper.exeFilesize
70KB
MD51fb060973127af435a948361cba03b9e
SHA1f861149e155e9bb3ef1f2f748874e884cde54cee
SHA256194bee6ca7df1015b6b5c5296d04f711128a4ec2970bdab1bf621af758251949
SHA5128d22e67d3200ab028822985e35c6314051b1dc0cab612e6917e326f0c75ad9d9a97af7f8146f70468026b5efcc5d09d4d1d9f89f34191cfed3179db1285e5eba
-
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exeFilesize
534KB
MD58a403bc371b84920c641afa3cf9fef2f
SHA1d6c9d38f3e571b54132dd7ee31a169c683abfd63
SHA256614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3
SHA512b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72
-
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEFilesize
6.7MB
MD563dc05e27a0b43bf25f151751b481b8c
SHA1b20321483dac62bce0aa0cef1d193d247747e189
SHA2567d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
526KB
MD5cc5020b193486a88f373bedca78e24c8
SHA161744a1675ce10ddd196129b49331d517d7da884
SHA256e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a
SHA512bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
714KB
MD55c8932a11c5b391f662e556c7525c11b
SHA1ff1f59ba26175ac823b55007640c792ec3057b9d
SHA2569eed8fd8b33d7992d551e2adc3eb92ddb95ec436a68293b214be9334f564fbec
SHA5129c60cd4cf75fc6df077cfcc27988b9dc7dd500532c396d2e274bd37b34797ff2ccefc00d3a27c922b1f28cf6f334d5038efc0920fa3793a17961c49125e96a2d
-
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
715KB
MD506366e48936df8d5556435c9820e9990
SHA10e3ed1da26a0c96f549720684e87352f1b58ef45
SHA256cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612
SHA512bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3
-
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD57a36ae2055dc8aa5791f86a0583197b4
SHA1deade87912580a5386096768f569781a92dbb9d4
SHA25664d1449187d26e3b769300335ed0fc5d31e2a2ee2264774ea9da2c396a6d8328
SHA512e042b3338617366afa3bbcd0f589f632a63567149b78172acb16524b6c488c10649578416f992146b70506fc55f3a9a79624bb87aac21fa80658afc5b5693680
-
C:\Users\ALLUSE~1\PACKAG~1\{63880~1\WINDOW~1.EXEFilesize
650KB
MD5558fdb0b9f097118b0c928bb6062370a
SHA1ad971a9a4cac3112a494a167e1b7736dcd6718b3
SHA25690cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924
SHA5125d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c
-
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
485KB
MD587f15006aea3b4433e226882a56f188d
SHA1e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA2568d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1
-
C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXEFilesize
691KB
MD5ce87c8a7b58a3cc12bb7a05782249dfa
SHA1a87d91e70a998737e19f5666417e0d5f8b857754
SHA256257b43ec42a4ff904cd18f48e74bef64cbe80dda79947252c31d0ef70a656e07
SHA5128f0b5cf2f8a615f21693df2a4581b20290a00cf88cc28280fd97f447cab6a147a96ab485ddc7cbfd4d180d0dc8b14053329bce3a49c4c2da4844aa56810d0c90
-
C:\Users\ALLUSE~1\PACKAG~1\{EF5AF~1\WINDOW~1.EXEFilesize
691KB
MD5a08906b2468637919bbf60600e56cb5a
SHA1b3461c43871907049a70745758a0c51f97eb52c6
SHA25693ec8003a3be400cf547464c375abaf9743b376f7cba0c19cc19299936314e29
SHA5127425f843db32404e439b491beb591672b3dc07fb52916280909793b360ec9147cf936bdf61d693fc959016dfdb8c23362e449322bf5509194eb12c6088e45392
-
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
536KB
MD591490c78c45cbd686ac759b6a252e898
SHA151bb6c5aa14cf478b0b6fa0329c7366d1f6fb480
SHA25647f3331b4f35012d38bc11cdeae0ff7b4ae1186d4e916e3e48a9440438296821
SHA512f7d44cd6df2c0c492731c14ca27e26605e8cddb9cb9287bf083fe1e43f753cafa11c341f0915510ad1d189466e92bb3f4e219b3599e9df72878bde14518bee35
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5b06ede29ccb5c27155d7725ca89c65ac
SHA1fb9760f4e9f1cad0e054fa6d5bd9c0167825ac22
SHA25605fa20275a52bbc3ddcbe7d3f73255eb2801c4eec3ee0d3f69dd4c1369e20fb1
SHA5129a34dcbfa53546dd042acfe20de6b2e79138c27de8f1e3cbc6f4d632c35fe88a1c27596ea7581a3fb3cd11fce8579fdc759c9c57b76ea7be5aa69d0a8fae43a3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD56d1b158eed05ece804cf99de9427e83c
SHA1c5b55a89b152417b2cf534a098978ee165569821
SHA2567fcdfd1e8fb3645efdc70db2e8103a72d9a10e34a643726349cf0fdd182c31b7
SHA51241d0db862ae36472fda86a214e39aa4d242e0f41f0ff8e0a3b3d2b9e7fd07f0095845a64f5434547150ca4374bacdbf0489f2a3405475e121d115e9472a39161
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5d7c16254cbba2d10b86f1833aadfcc6d
SHA12ed5edd0612cc22137e3b763a42e43bfd933c5df
SHA256c97b274d9727012d568d74ccd43bd93efba256e1d6ab89459efd36d8286dece0
SHA51238f10e67b3ad91ca6cb1fe388aab09451a1a95f308bc5ca477af6a8783a2ebc98f241de44fbcc41dd806a0496263b3730cfa85ca4787150ad3d7cb76c8223e1e
-
C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exeFilesize
213KB
MD58b0bec71c0c9bfb67fc51cfeca662758
SHA1aac11a7bcc44ac97f609375271d60b47d09764b6
SHA2568b20f47382ac9fb608e568787d9d2974a3c3716bf56ba0208ef5599b19db4a1c
SHA5120e62b0c72caccdc35307bf9175c101ac3b1076f918db54605bad71097104befff8d818977401ed808bfc8b1abc56c8c5af243bc9fdc51ee4e8b50fb1bfbb25b8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qrgc2pyk.33n.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exeFilesize
90KB
MD5c6468039d2d2d29d67da192c4b93fbce
SHA16c295a9bff97d20fd8d1e7bd0306047965c03c27
SHA256574ffc78000ac5e306858cead0d0669ecc3c0bd2541001bab1d2f5c46e9d74e7
SHA5125777425adec2b763f3535dce5963422b986fb2ec25517f326b99956ffe5970a477f05cb1009f1fd54da2890ab26e79687bcf05efacb8f8a06a2bc0400b228be9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
6KB
MD5e00e9f35320d6499763f11d420776082
SHA1ffc190d5c6d752d0a6bdae65905af13d744b52d9
SHA2560530cb35d31d3e2cc227a1c008049fe2208a7b306dd30fca4329fec8f5715e4c
SHA512b43f286d4272154221c7e9476e05a86b9c9f2fc070be094cdefe554420d0af542e42d969101723a041f7bad228e4690723d880547c98983d057cef019ef2988a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
6KB
MD593a9f41c119bb0e8bb5b0968a06153a5
SHA1db7c6afd79b3b4450a68763c2f98e7a15a509daa
SHA256c0630508be4b24e1321314578fd9ee66491d465ca6c9dbb94ae7a8edfb5d3357
SHA5125a3b2f20c8df9581225af1500d8f1e123d9116750ca524ae72ae671c13ee8f175b9a5ab811b0cbb846f930ca368390ed684f0175d24a420837f681957b81108e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
6KB
MD5e78c5d2e6ed3be68dc229f1b7ffcd1c1
SHA1c8fa26d37cfd7dfe0393bd3c03c8a452270ae321
SHA256dbf8ddf4f967bf9443a4ac623a6690d8a489a6766c43bd76492c36e0a252790a
SHA5122d707ce6b3645b2fc24040a35fad0c8ec0d058dc0dd6863a4d4e0686bb5b3c03b7fd03c5c39e9398f3ab359e129f62b0ce7f756162e9854cb6468b5ceb83434b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
6KB
MD5e27c1153b8d6a77ef5732941b79c2518
SHA1311a47ea464709cddc224633b426045443107c98
SHA25641abc2449ecacf784e262d9b7e3fe17acf5f0af7830ca5e28a656b7891523818
SHA5120527a2095e88317a77cb1baaccbe8f0b16b41714488b103a78376ac95065b770a99f9e771f4edaa2ddd58705f4c14b00893c9dec96270aca8f3c6395d8119c23
-
C:\Windows\directx.sysFilesize
130B
MD58dc2947a916cfe292a6dce225c32d218
SHA159f674d46b6f92233b107f12aaf0958bf5a668c0
SHA2566ed9a2907b7dec195ebb2a486ed3ae6f11ef655a9f2d0ee485adb6a85b6e79f3
SHA51250349af678162f3813d6141e5e5a1c5fa2a63aa081d8bd788f5474c4f958364e98b3299fb820cebadbc30514d508b62b56689257a2e0e51c90fc7821493bd606
-
C:\Windows\directx.sysFilesize
142B
MD50de6784f74a59413ee1341a35fa14551
SHA194341fe432985750672eae3b01fa2a8165e8c44c
SHA25662bf9ef4b3359f708340ec72276151575653ff78f3e9937cecb748ce0403a82e
SHA5120030b2cc0e50286ecbd4db2b212c470baaac6e6cef292885e75117eb2c6bad6d7b310c8ff18166caf3fd8eda195492de4d956f7a0344001517f3828eec4229e1
-
C:\Windows\directx.sysFilesize
71B
MD551e8088e6e80e7928a63c0a35e4f1f4e
SHA1af3c67f1ebe1e48432e88aeae04afd09d32e8175
SHA25690dc950b0fc2e8acb78859939ab7e9bf2efb7508efb02b4f2f9e93ab43dc1b2a
SHA5124efec73db68d8d193e37c98485742d207db383a125de5765d15140e90b8589a6c81ff84ac4836bde1d8fac603675c61704d99f077811d094909aeac0815bc18c
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
memory/964-369-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/964-354-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/964-387-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/964-371-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/964-384-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1224-219-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1364-13-0x0000000073BD0000-0x0000000074181000-memory.dmpFilesize
5.7MB
-
memory/1364-12-0x0000000073BD2000-0x0000000073BD3000-memory.dmpFilesize
4KB
-
memory/1364-15-0x0000000073BD0000-0x0000000074181000-memory.dmpFilesize
5.7MB
-
memory/1364-49-0x0000000073BD0000-0x0000000074181000-memory.dmpFilesize
5.7MB
-
memory/2860-241-0x0000000005790000-0x00000000057F6000-memory.dmpFilesize
408KB
-
memory/2860-303-0x0000000006520000-0x000000000653E000-memory.dmpFilesize
120KB
-
memory/2860-248-0x0000000006050000-0x00000000063A4000-memory.dmpFilesize
3.3MB
-
memory/2860-239-0x0000000005680000-0x00000000056A2000-memory.dmpFilesize
136KB
-
memory/2860-240-0x0000000005720000-0x0000000005786000-memory.dmpFilesize
408KB
-
memory/2860-355-0x0000000007A60000-0x0000000007A6E000-memory.dmpFilesize
56KB
-
memory/2860-231-0x0000000005890000-0x0000000005EB8000-memory.dmpFilesize
6.2MB
-
memory/2860-339-0x0000000007830000-0x000000000784A000-memory.dmpFilesize
104KB
-
memory/2860-304-0x0000000006A90000-0x0000000006ADC000-memory.dmpFilesize
304KB
-
memory/2860-316-0x0000000007670000-0x000000000768E000-memory.dmpFilesize
120KB
-
memory/2860-306-0x000000006F890000-0x000000006F8DC000-memory.dmpFilesize
304KB
-
memory/2860-305-0x0000000007690000-0x00000000076C2000-memory.dmpFilesize
200KB
-
memory/2860-326-0x00000000076E0000-0x0000000007783000-memory.dmpFilesize
652KB
-
memory/2860-357-0x0000000007B90000-0x0000000007BAA000-memory.dmpFilesize
104KB
-
memory/2860-229-0x0000000005080000-0x00000000050B6000-memory.dmpFilesize
216KB
-
memory/2860-338-0x0000000007E80000-0x00000000084FA000-memory.dmpFilesize
6.5MB
-
memory/3012-328-0x000000006F890000-0x000000006F8DC000-memory.dmpFilesize
304KB
-
memory/3012-352-0x0000000007170000-0x0000000007181000-memory.dmpFilesize
68KB
-
memory/3012-340-0x0000000006FF0000-0x0000000006FFA000-memory.dmpFilesize
40KB
-
memory/3012-341-0x00000000071F0000-0x0000000007286000-memory.dmpFilesize
600KB
-
memory/3060-358-0x0000000007240000-0x0000000007248000-memory.dmpFilesize
32KB
-
memory/3060-317-0x000000006F890000-0x000000006F8DC000-memory.dmpFilesize
304KB
-
memory/3060-356-0x0000000007160000-0x0000000007174000-memory.dmpFilesize
80KB
-
memory/3380-176-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3748-50-0x0000000000ED0000-0x0000000000EE8000-memory.dmpFilesize
96KB
-
memory/3748-47-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmpFilesize
8KB
-
memory/3748-372-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmpFilesize
8KB
-
memory/3780-342-0x000000006F890000-0x000000006F8DC000-memory.dmpFilesize
304KB
-
memory/3860-53-0x0000000000E40000-0x0000000000E5C000-memory.dmpFilesize
112KB
-
memory/3860-79-0x0000000005FA0000-0x0000000005FDC000-memory.dmpFilesize
240KB
-
memory/3860-54-0x0000000005610000-0x0000000005622000-memory.dmpFilesize
72KB
-
memory/3992-203-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4776-211-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4944-283-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4980-230-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5028-368-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5028-370-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5028-383-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5028-388-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5028-353-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB