Malware Analysis Report

2024-09-11 03:12

Sample ID 240520-atts2abc8z
Target kdmapper.exe
SHA256 a8d80919d86fec3e163f03f55f10fc0597d1605c230c44d5b39d93c7f35fbb5c
Tags
neshta xworm execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8d80919d86fec3e163f03f55f10fc0597d1605c230c44d5b39d93c7f35fbb5c

Threat Level: Known bad

The file kdmapper.exe was found to be: Known bad.

Malicious Activity Summary

neshta xworm execution persistence rat spyware stealer trojan

Detect Neshta payload

Neshta

Xworm

Detect Xworm Payload

Neshta family

Command and Scripting Interpreter: PowerShell

Drops startup file

Modifies system executable filetype association

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-20 00:30

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 00:30

Reported

2024-05-20 00:31

Platform

win10v2004-20240508-en

Max time kernel

32s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\PROGRA~3\kdmapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtkAudUService64.lnk C:\PROGRA~3\kdmapper.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtkAudUService64.lnk C:\PROGRA~3\kdmapper.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\PROGRA~3\kdmapper.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KEYAUT~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RtkAudUService64 = "C:\\ProgramData\\RtkAudUService64.exe" C:\PROGRA~3\kdmapper.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\kdmapper.exe C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{97D61~1\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\PROGRA~3\kdmapper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\PROGRA~3\kdmapper.exe N/A
N/A N/A C:\PROGRA~3\kdmapper.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\PROGRA~3\kdmapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KEYAUT~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\PROGRA~3\kdmapper.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\PROGRA~3\kdmapper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5028 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe
PID 5028 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe
PID 5028 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe
PID 1364 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe C:\Windows\svchost.com
PID 1364 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe C:\Windows\svchost.com
PID 1364 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe C:\Windows\svchost.com
PID 3380 wrote to memory of 3748 N/A C:\Windows\svchost.com C:\PROGRA~3\kdmapper.exe
PID 3380 wrote to memory of 3748 N/A C:\Windows\svchost.com C:\PROGRA~3\kdmapper.exe
PID 1364 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe C:\Windows\svchost.com
PID 1364 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe C:\Windows\svchost.com
PID 1364 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe C:\Windows\svchost.com
PID 964 wrote to memory of 3860 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\KEYAUT~1.EXE
PID 964 wrote to memory of 3860 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\KEYAUT~1.EXE
PID 964 wrote to memory of 3860 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\KEYAUT~1.EXE
PID 3748 wrote to memory of 3992 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 3748 wrote to memory of 3992 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 3748 wrote to memory of 3992 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 3992 wrote to memory of 2860 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3992 wrote to memory of 2860 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3992 wrote to memory of 2860 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3748 wrote to memory of 4776 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 3748 wrote to memory of 4776 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 3748 wrote to memory of 4776 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 4776 wrote to memory of 3060 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 3060 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 3060 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3748 wrote to memory of 1224 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 3748 wrote to memory of 1224 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 3748 wrote to memory of 1224 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 1224 wrote to memory of 3780 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 3780 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 3780 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3748 wrote to memory of 4980 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 3748 wrote to memory of 4980 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 3748 wrote to memory of 4980 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 4980 wrote to memory of 3012 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4980 wrote to memory of 3012 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4980 wrote to memory of 3012 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3748 wrote to memory of 4944 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 3748 wrote to memory of 4944 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 3748 wrote to memory of 4944 N/A C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com
PID 4944 wrote to memory of 508 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 508 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 508 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\kdmapper.exe

"C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\PROGRA~3\kdmapper.exe"

C:\PROGRA~3\kdmapper.exe

C:\PROGRA~3\kdmapper.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\KEYAUT~1.EXE"

C:\Users\Admin\AppData\Roaming\KEYAUT~1.EXE

C:\Users\Admin\AppData\Roaming\KEYAUT~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\PROGRA~3\kdmapper.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\PROGRA~3\kdmapper.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kdmapper.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kdmapper.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RtkAudUService64.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RtkAudUService64.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RtkAudUService64" /tr "C:\ProgramData\RtkAudUService64.exe"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn RtkAudUService64 /tr C:\ProgramData\RtkAudUService64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 25.147.200.23.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
DE 45.88.90.228:7000 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 45.88.90.228:7000 tcp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe

MD5 8b0bec71c0c9bfb67fc51cfeca662758
SHA1 aac11a7bcc44ac97f609375271d60b47d09764b6
SHA256 8b20f47382ac9fb608e568787d9d2974a3c3716bf56ba0208ef5599b19db4a1c
SHA512 0e62b0c72caccdc35307bf9175c101ac3b1076f918db54605bad71097104befff8d818977401ed808bfc8b1abc56c8c5af243bc9fdc51ee4e8b50fb1bfbb25b8

memory/1364-12-0x0000000073BD2000-0x0000000073BD3000-memory.dmp

memory/1364-13-0x0000000073BD0000-0x0000000074181000-memory.dmp

memory/1364-15-0x0000000073BD0000-0x0000000074181000-memory.dmp

C:\ProgramData\kdmapper.exe

MD5 1fb060973127af435a948361cba03b9e
SHA1 f861149e155e9bb3ef1f2f748874e884cde54cee
SHA256 194bee6ca7df1015b6b5c5296d04f711128a4ec2970bdab1bf621af758251949
SHA512 8d22e67d3200ab028822985e35c6314051b1dc0cab612e6917e326f0c75ad9d9a97af7f8146f70468026b5efcc5d09d4d1d9f89f34191cfed3179db1285e5eba

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe

MD5 c6468039d2d2d29d67da192c4b93fbce
SHA1 6c295a9bff97d20fd8d1e7bd0306047965c03c27
SHA256 574ffc78000ac5e306858cead0d0669ecc3c0bd2541001bab1d2f5c46e9d74e7
SHA512 5777425adec2b763f3535dce5963422b986fb2ec25517f326b99956ffe5970a477f05cb1009f1fd54da2890ab26e79687bcf05efacb8f8a06a2bc0400b228be9

C:\Windows\directx.sys

MD5 51e8088e6e80e7928a63c0a35e4f1f4e
SHA1 af3c67f1ebe1e48432e88aeae04afd09d32e8175
SHA256 90dc950b0fc2e8acb78859939ab7e9bf2efb7508efb02b4f2f9e93ab43dc1b2a
SHA512 4efec73db68d8d193e37c98485742d207db383a125de5765d15140e90b8589a6c81ff84ac4836bde1d8fac603675c61704d99f077811d094909aeac0815bc18c

memory/3748-50-0x0000000000ED0000-0x0000000000EE8000-memory.dmp

memory/1364-49-0x0000000073BD0000-0x0000000074181000-memory.dmp

memory/3748-47-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmp

memory/3860-53-0x0000000000E40000-0x0000000000E5C000-memory.dmp

memory/3860-54-0x0000000005610000-0x0000000005622000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 02c064bea2cf9da44904c9a1ecb61c48
SHA1 75b874030dc2300f6663ba70e3bb5b4475e4b89c
SHA256 3ed504ee3804fdd067bf02599ae9d41ef0f795f9f6f5ae1038e25578d0230f0a
SHA512 fb8aa2bba96efa28fd56ccf5bb0d2505c13d4b98740ad3f5c1b8b0ea131ebd4f9e9822d259e9c96ec595c5843f908f12b51880a8d4c366721591e89c830a5ce8

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

MD5 9dfcdd1ab508b26917bb2461488d8605
SHA1 4ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256 ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA512 1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

memory/3860-79-0x0000000005FA0000-0x0000000005FDC000-memory.dmp

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

MD5 d47ed8961782d9e27f359447fa86c266
SHA1 d37d3f962c8d302b18ec468b4abe94f792f72a3b
SHA256 b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a
SHA512 3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 bcd0f32f28d3c2ba8f53d1052d05252d
SHA1 c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256 bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA512 79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

MD5 e316c67c785d3e39e90341b0bbaac705
SHA1 7ffd89492438a97ad848068cfdaab30c66afca35
SHA256 4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478
SHA512 25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

MD5 e7a27a45efa530c657f58fda9f3b9f4a
SHA1 6c0d29a8b75574e904ab1c39fc76b39ca8f8e461
SHA256 d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5
SHA512 0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

MD5 6f87ccb8ab73b21c9b8288b812de8efa
SHA1 a709254f843a4cb50eec3bb0a4170ad3e74ea9b3
SHA256 14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22
SHA512 619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 0511abca39ed6d36fff86a8b6f2266cd
SHA1 bfe55ac898d7a570ec535328b6283a1cdfa33b00
SHA256 76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8
SHA512 6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

MD5 0f2a15d7f0ba496847dfeac5f2aee9f2
SHA1 8c6fba98c42dc86d53f6ff1ec7db22683982203b
SHA256 ca787720bbe943d0315c1aa9c3b05b63c8def624801512a39f671692c6a37366
SHA512 23826e69106884d3d86ab81a720d890f2abdd7bee3ce8bffc2e126830128f00e4ec1a050ed725da17b53c0052bc24e2f15cd1643ab1f909e72a15df842858b98

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

MD5 3b0e91f9bb6c1f38f7b058c91300e582
SHA1 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA256 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512 a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 e5589ec1e4edb74cc7facdaac2acabfd
SHA1 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA256 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512 f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

MD5 301d7f5daa3b48c83df5f6b35de99982
SHA1 17e68d91f3ec1eabde1451351cc690a1978d2cd4
SHA256 abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee
SHA512 4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

MD5 5c78384d8eb1f6cb8cb23d515cfe7c98
SHA1 b732ab6c3fbf2ded8a4d6c8962554d119f59082e
SHA256 9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564
SHA512 99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

MD5 5119e350591269f44f732b470024bb7c
SHA1 4ccd48e4c6ba6e162d1520760ee3063e93e2c014
SHA256 2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873
SHA512 599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE

MD5 7abe22be5c0dcb7e9632a304429772eb
SHA1 bf3cc17af14b6a3384162809def0460b57af8896
SHA256 1b3f3a1c7786f24e3b4b446cb6ca9e2c78a04c95f7e77a071a70c1def07d46cb
SHA512 7f9c0af509b1fc9a19b7ccbd6c8ecdd3e86a829ea7d5deee117aec483a9d82fd899633a45708c99aca04c3b03d6fd5918b286eb4a996bac76bcd1a4281d1c824

C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

MD5 5d656c152b22ddd4f875306ca928243a
SHA1 177ff847aa898afa1b786077ae87b5ae0c7687c7
SHA256 4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69
SHA512 d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE

MD5 a15016441259c3704235b7c1cb654d06
SHA1 c9277f066c26446758df4fff5045a367f2a799ce
SHA256 d2c00ac573df0c4eb408c4cba1add7e24bd0ce3fb151b943e1a924f88b5d4595
SHA512 f4b1c0c5693a5f1d847d3ef8a6cc45ac5c87a763439605ad5bc5bfbcf05ad5911ef250639585233a1c73bd35a591b4fb7ef9bde841db8d9334998759fd0b8d17

memory/3380-176-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

MD5 8a403bc371b84920c641afa3cf9fef2f
SHA1 d6c9d38f3e571b54132dd7ee31a169c683abfd63
SHA256 614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3
SHA512 b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

MD5 63dc05e27a0b43bf25f151751b481b8c
SHA1 b20321483dac62bce0aa0cef1d193d247747e189
SHA256 7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512 374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

MD5 91490c78c45cbd686ac759b6a252e898
SHA1 51bb6c5aa14cf478b0b6fa0329c7366d1f6fb480
SHA256 47f3331b4f35012d38bc11cdeae0ff7b4ae1186d4e916e3e48a9440438296821
SHA512 f7d44cd6df2c0c492731c14ca27e26605e8cddb9cb9287bf083fe1e43f753cafa11c341f0915510ad1d189466e92bb3f4e219b3599e9df72878bde14518bee35

C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

MD5 7a36ae2055dc8aa5791f86a0583197b4
SHA1 deade87912580a5386096768f569781a92dbb9d4
SHA256 64d1449187d26e3b769300335ed0fc5d31e2a2ee2264774ea9da2c396a6d8328
SHA512 e042b3338617366afa3bbcd0f589f632a63567149b78172acb16524b6c488c10649578416f992146b70506fc55f3a9a79624bb87aac21fa80658afc5b5693680

C:\Users\ALLUSE~1\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

MD5 a08906b2468637919bbf60600e56cb5a
SHA1 b3461c43871907049a70745758a0c51f97eb52c6
SHA256 93ec8003a3be400cf547464c375abaf9743b376f7cba0c19cc19299936314e29
SHA512 7425f843db32404e439b491beb591672b3dc07fb52916280909793b360ec9147cf936bdf61d693fc959016dfdb8c23362e449322bf5509194eb12c6088e45392

C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE

MD5 ce87c8a7b58a3cc12bb7a05782249dfa
SHA1 a87d91e70a998737e19f5666417e0d5f8b857754
SHA256 257b43ec42a4ff904cd18f48e74bef64cbe80dda79947252c31d0ef70a656e07
SHA512 8f0b5cf2f8a615f21693df2a4581b20290a00cf88cc28280fd97f447cab6a147a96ab485ddc7cbfd4d180d0dc8b14053329bce3a49c4c2da4844aa56810d0c90

C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

MD5 87f15006aea3b4433e226882a56f188d
SHA1 e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA256 8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512 b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

C:\Users\ALLUSE~1\PACKAG~1\{63880~1\WINDOW~1.EXE

MD5 558fdb0b9f097118b0c928bb6062370a
SHA1 ad971a9a4cac3112a494a167e1b7736dcd6718b3
SHA256 90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924
SHA512 5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

MD5 06366e48936df8d5556435c9820e9990
SHA1 0e3ed1da26a0c96f549720684e87352f1b58ef45
SHA256 cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612
SHA512 bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3

C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

MD5 5c8932a11c5b391f662e556c7525c11b
SHA1 ff1f59ba26175ac823b55007640c792ec3057b9d
SHA256 9eed8fd8b33d7992d551e2adc3eb92ddb95ec436a68293b214be9334f564fbec
SHA512 9c60cd4cf75fc6df077cfcc27988b9dc7dd500532c396d2e274bd37b34797ff2ccefc00d3a27c922b1f28cf6f334d5038efc0920fa3793a17961c49125e96a2d

C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

MD5 cc5020b193486a88f373bedca78e24c8
SHA1 61744a1675ce10ddd196129b49331d517d7da884
SHA256 e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a
SHA512 bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

C:\Windows\directx.sys

MD5 8dc2947a916cfe292a6dce225c32d218
SHA1 59f674d46b6f92233b107f12aaf0958bf5a668c0
SHA256 6ed9a2907b7dec195ebb2a486ed3ae6f11ef655a9f2d0ee485adb6a85b6e79f3
SHA512 50349af678162f3813d6141e5e5a1c5fa2a63aa081d8bd788f5474c4f958364e98b3299fb820cebadbc30514d508b62b56689257a2e0e51c90fc7821493bd606

memory/3992-203-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4776-211-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1224-219-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2860-229-0x0000000005080000-0x00000000050B6000-memory.dmp

memory/4980-230-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2860-231-0x0000000005890000-0x0000000005EB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e00e9f35320d6499763f11d420776082
SHA1 ffc190d5c6d752d0a6bdae65905af13d744b52d9
SHA256 0530cb35d31d3e2cc227a1c008049fe2208a7b306dd30fca4329fec8f5715e4c
SHA512 b43f286d4272154221c7e9476e05a86b9c9f2fc070be094cdefe554420d0af542e42d969101723a041f7bad228e4690723d880547c98983d057cef019ef2988a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 93a9f41c119bb0e8bb5b0968a06153a5
SHA1 db7c6afd79b3b4450a68763c2f98e7a15a509daa
SHA256 c0630508be4b24e1321314578fd9ee66491d465ca6c9dbb94ae7a8edfb5d3357
SHA512 5a3b2f20c8df9581225af1500d8f1e123d9116750ca524ae72ae671c13ee8f175b9a5ab811b0cbb846f930ca368390ed684f0175d24a420837f681957b81108e

memory/2860-240-0x0000000005720000-0x0000000005786000-memory.dmp

memory/2860-239-0x0000000005680000-0x00000000056A2000-memory.dmp

memory/2860-241-0x0000000005790000-0x00000000057F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qrgc2pyk.33n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2860-248-0x0000000006050000-0x00000000063A4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e27c1153b8d6a77ef5732941b79c2518
SHA1 311a47ea464709cddc224633b426045443107c98
SHA256 41abc2449ecacf784e262d9b7e3fe17acf5f0af7830ca5e28a656b7891523818
SHA512 0527a2095e88317a77cb1baaccbe8f0b16b41714488b103a78376ac95065b770a99f9e771f4edaa2ddd58705f4c14b00893c9dec96270aca8f3c6395d8119c23

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e78c5d2e6ed3be68dc229f1b7ffcd1c1
SHA1 c8fa26d37cfd7dfe0393bd3c03c8a452270ae321
SHA256 dbf8ddf4f967bf9443a4ac623a6690d8a489a6766c43bd76492c36e0a252790a
SHA512 2d707ce6b3645b2fc24040a35fad0c8ec0d058dc0dd6863a4d4e0686bb5b3c03b7fd03c5c39e9398f3ab359e129f62b0ce7f756162e9854cb6468b5ceb83434b

memory/4944-283-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 0de6784f74a59413ee1341a35fa14551
SHA1 94341fe432985750672eae3b01fa2a8165e8c44c
SHA256 62bf9ef4b3359f708340ec72276151575653ff78f3e9937cecb748ce0403a82e
SHA512 0030b2cc0e50286ecbd4db2b212c470baaac6e6cef292885e75117eb2c6bad6d7b310c8ff18166caf3fd8eda195492de4d956f7a0344001517f3828eec4229e1

memory/2860-303-0x0000000006520000-0x000000000653E000-memory.dmp

memory/2860-304-0x0000000006A90000-0x0000000006ADC000-memory.dmp

memory/2860-316-0x0000000007670000-0x000000000768E000-memory.dmp

memory/2860-306-0x000000006F890000-0x000000006F8DC000-memory.dmp

memory/2860-305-0x0000000007690000-0x00000000076C2000-memory.dmp

memory/2860-326-0x00000000076E0000-0x0000000007783000-memory.dmp

memory/3060-317-0x000000006F890000-0x000000006F8DC000-memory.dmp

memory/3012-328-0x000000006F890000-0x000000006F8DC000-memory.dmp

memory/2860-338-0x0000000007E80000-0x00000000084FA000-memory.dmp

memory/2860-339-0x0000000007830000-0x000000000784A000-memory.dmp

memory/3012-340-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

memory/3780-342-0x000000006F890000-0x000000006F8DC000-memory.dmp

memory/3012-341-0x00000000071F0000-0x0000000007286000-memory.dmp

memory/3012-352-0x0000000007170000-0x0000000007181000-memory.dmp

memory/5028-353-0x0000000000400000-0x000000000041B000-memory.dmp

memory/964-354-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2860-355-0x0000000007A60000-0x0000000007A6E000-memory.dmp

memory/3060-356-0x0000000007160000-0x0000000007174000-memory.dmp

memory/2860-357-0x0000000007B90000-0x0000000007BAA000-memory.dmp

memory/3060-358-0x0000000007240000-0x0000000007248000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b06ede29ccb5c27155d7725ca89c65ac
SHA1 fb9760f4e9f1cad0e054fa6d5bd9c0167825ac22
SHA256 05fa20275a52bbc3ddcbe7d3f73255eb2801c4eec3ee0d3f69dd4c1369e20fb1
SHA512 9a34dcbfa53546dd042acfe20de6b2e79138c27de8f1e3cbc6f4d632c35fe88a1c27596ea7581a3fb3cd11fce8579fdc759c9c57b76ea7be5aa69d0a8fae43a3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d1b158eed05ece804cf99de9427e83c
SHA1 c5b55a89b152417b2cf534a098978ee165569821
SHA256 7fcdfd1e8fb3645efdc70db2e8103a72d9a10e34a643726349cf0fdd182c31b7
SHA512 41d0db862ae36472fda86a214e39aa4d242e0f41f0ff8e0a3b3d2b9e7fd07f0095845a64f5434547150ca4374bacdbf0489f2a3405475e121d115e9472a39161

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d7c16254cbba2d10b86f1833aadfcc6d
SHA1 2ed5edd0612cc22137e3b763a42e43bfd933c5df
SHA256 c97b274d9727012d568d74ccd43bd93efba256e1d6ab89459efd36d8286dece0
SHA512 38f10e67b3ad91ca6cb1fe388aab09451a1a95f308bc5ca477af6a8783a2ebc98f241de44fbcc41dd806a0496263b3730cfa85ca4787150ad3d7cb76c8223e1e

memory/964-369-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5028-368-0x0000000000400000-0x000000000041B000-memory.dmp

memory/964-371-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5028-370-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3748-372-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmp

memory/964-384-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5028-383-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5028-388-0x0000000000400000-0x000000000041B000-memory.dmp

memory/964-387-0x0000000000400000-0x000000000041B000-memory.dmp