Malware Analysis Report

2024-09-11 02:47

Sample ID 240527-j1msqsdc7s
Target kdmapper.exe
SHA256 8b20f47382ac9fb608e568787d9d2974a3c3716bf56ba0208ef5599b19db4a1c
Tags
neshta xworm execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b20f47382ac9fb608e568787d9d2974a3c3716bf56ba0208ef5599b19db4a1c

Threat Level: Known bad

The file kdmapper.exe was found to be: Known bad.

Malicious Activity Summary

neshta xworm execution persistence rat spyware stealer trojan

Neshta

Detect Neshta payload

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Modifies system executable filetype association

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Enumerates system info in registry

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-27 08:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 08:08

Reported

2024-05-27 08:11

Platform

win7-20240221-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtkAudUService64.lnk C:\ProgramData\kdmapper.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtkAudUService64.lnk C:\ProgramData\kdmapper.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\kdmapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\ProgramData\RtkAudUService64.exe N/A
N/A N/A C:\ProgramData\RtkAudUService64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\RtkAudUService64 = "C:\\ProgramData\\RtkAudUService64.exe" C:\ProgramData\kdmapper.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~3\kdmapper.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\kdmapper.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\kdmapper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\kdmapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\kdmapper.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\RtkAudUService64.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\RtkAudUService64.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\kdmapper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\ProgramData\kdmapper.exe
PID 1612 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\ProgramData\kdmapper.exe
PID 1612 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\ProgramData\kdmapper.exe
PID 1612 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\ProgramData\kdmapper.exe
PID 1612 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe
PID 1612 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe
PID 1612 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe
PID 1612 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe
PID 2980 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe
PID 2980 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe
PID 2980 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe
PID 2980 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe
PID 2744 wrote to memory of 592 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 592 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 592 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 592 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 592 wrote to memory of 2064 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 592 wrote to memory of 2064 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 592 wrote to memory of 2064 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 592 wrote to memory of 2064 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe C:\Windows\SysWOW64\WerFault.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe C:\Windows\SysWOW64\WerFault.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe C:\Windows\SysWOW64\WerFault.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe C:\Windows\SysWOW64\WerFault.exe
PID 2744 wrote to memory of 1300 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 1300 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 1300 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 1300 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 1300 wrote to memory of 2200 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1300 wrote to memory of 2200 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1300 wrote to memory of 2200 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1300 wrote to memory of 2200 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2744 wrote to memory of 1588 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 1588 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 1588 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 1588 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 1588 wrote to memory of 2244 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1588 wrote to memory of 2244 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1588 wrote to memory of 2244 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1588 wrote to memory of 2244 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2744 wrote to memory of 2864 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 2864 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 2864 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 2864 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2864 wrote to memory of 2628 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2864 wrote to memory of 2628 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2864 wrote to memory of 2628 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2864 wrote to memory of 2628 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2744 wrote to memory of 2836 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 2836 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 2836 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2744 wrote to memory of 2836 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2836 wrote to memory of 580 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 580 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 580 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 580 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\RtkAudUService64.exe
PID 1180 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\RtkAudUService64.exe
PID 1180 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\RtkAudUService64.exe
PID 1180 wrote to memory of 1980 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\RtkAudUService64.exe
PID 1180 wrote to memory of 1980 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\RtkAudUService64.exe
PID 1180 wrote to memory of 1980 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\RtkAudUService64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\kdmapper.exe

"C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"

C:\ProgramData\kdmapper.exe

"C:\ProgramData\kdmapper.exe"

C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe

"C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\kdmapper.exe'

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\kdmapper.exe'

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1472

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kdmapper.exe'

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kdmapper.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RtkAudUService64.exe'

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RtkAudUService64.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RtkAudUService64" /tr "C:\ProgramData\RtkAudUService64.exe"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn RtkAudUService64 /tr C:\ProgramData\RtkAudUService64.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {C1BCD75C-053B-486B-B5BB-C117FCF12AE7} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\ProgramData\RtkAudUService64.exe

C:\ProgramData\RtkAudUService64.exe

C:\ProgramData\RtkAudUService64.exe

C:\ProgramData\RtkAudUService64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
IE 2.18.24.9:80 apps.identrust.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
TR 178.215.236.228:7000 tcp

Files

memory/1612-0-0x0000000074191000-0x0000000074192000-memory.dmp

memory/1612-1-0x0000000074190000-0x000000007473B000-memory.dmp

memory/1612-2-0x0000000074190000-0x000000007473B000-memory.dmp

\ProgramData\kdmapper.exe

MD5 1fb060973127af435a948361cba03b9e
SHA1 f861149e155e9bb3ef1f2f748874e884cde54cee
SHA256 194bee6ca7df1015b6b5c5296d04f711128a4ec2970bdab1bf621af758251949
SHA512 8d22e67d3200ab028822985e35c6314051b1dc0cab612e6917e326f0c75ad9d9a97af7f8146f70468026b5efcc5d09d4d1d9f89f34191cfed3179db1285e5eba

memory/2744-11-0x000007FEF51F3000-0x000007FEF51F4000-memory.dmp

\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe

MD5 accad9cf663d5819ab171725c62de978
SHA1 6abf132629ebd01588f95e6e87422142145d2c21
SHA256 48ef492c2a7daed9b5fd95cbe3b567a6f75e123ae4d9afeafb0fa1d3784a9c0b
SHA512 4fc791d57b89c4792dba0820af337cea924747efa102952f46afa9ba25f42360836146a9cd7285104657bb4756dfba77856f71e20290cf2f6202a1032ac416da

\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe

MD5 c6468039d2d2d29d67da192c4b93fbce
SHA1 6c295a9bff97d20fd8d1e7bd0306047965c03c27
SHA256 574ffc78000ac5e306858cead0d0669ecc3c0bd2541001bab1d2f5c46e9d74e7
SHA512 5777425adec2b763f3535dce5963422b986fb2ec25517f326b99956ffe5970a477f05cb1009f1fd54da2890ab26e79687bcf05efacb8f8a06a2bc0400b228be9

memory/1612-27-0x0000000074190000-0x000000007473B000-memory.dmp

memory/2744-32-0x0000000000B20000-0x0000000000B38000-memory.dmp

memory/2548-34-0x0000000001160000-0x000000000117C000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Local\Temp\CabA324.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarA4C1.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d25575a89c8bd8672f19a79bc0dd75c
SHA1 ed28d8edb6471d488acea300cd9edbcd9a81fa2b
SHA256 165396b30a87bdef9ad8917753d403504f83391f2b791d764b3412cc7601570b
SHA512 304b247f5c89eb472d03d2d251bde5e3fa6f4df7153f6e20b217231025e408de247879b5843617332ba59acb2a011569257e8abb0e1eda1e4dd6d81a063b7410

C:\Windows\svchost.com

MD5 c23ae27db3868ed615e2fb10aad9c430
SHA1 2ae4f18703f36e3e484da9a14cf557a2f2c83d8d
SHA256 a61dd97cf9eed6d01cd393a00f9cecc33368bd5a04ccbbb74ddcb37b984ebcec
SHA512 4504277050aec35a50476148de71c88fbb1b520bd8c2e8c79e30e7dd6b1f5d41889b9f35adc9bf3c4fdbcba0652e02a4deb9fba608874a3f5d8c0637cbb8adef

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

MD5 d4fdbb8de6a219f981ffda11aa2b2cc4
SHA1 cca2cffd4cf39277cc56ebd050f313de15aabbf6
SHA256 ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b
SHA512 7167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf

C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

MD5 6a091285d13370abb4536604b5f2a043
SHA1 8bb4aad8cadbd3894c889de85e7d186369cf6ff1
SHA256 909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb
SHA512 9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

MD5 a741183f8c4d83467c51abab1ff68d7b
SHA1 ddb4a6f3782c0f03f282c2bed765d7b065aadcc6
SHA256 78be3aeb507db7e4ee7468c6b9384ee0459deebd503e06bd4988c52247ecea24
SHA512 c15dbecc0754a662892ecaff4b9b6c1bad46f710d8e1b973f86eaee467444f8e5764b31ace8f5a9a5e936947cc4dcb97cb1b14a6930c1025f38a3544393b6b18

C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

MD5 7ce8bcabb035b3de517229dbe7c5e67d
SHA1 8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9
SHA256 81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c
SHA512 be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

MD5 2f6f7891de512f6269c8e8276aa3ea3e
SHA1 53f648c482e2341b4718a60f9277198711605c80
SHA256 d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86
SHA512 c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

memory/2980-198-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

MD5 e1833678885f02b5e3cf1b3953456557
SHA1 c197e763500002bc76a8d503933f1f6082a8507a
SHA256 bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512 fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

MD5 eef2f834c8d65585af63916d23b07c36
SHA1 8cb85449d2cdb21bd6def735e1833c8408b8a9c6
SHA256 3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd
SHA512 2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

MD5 3ec4922dbca2d07815cf28144193ded9
SHA1 75cda36469743fbc292da2684e76a26473f04a6d
SHA256 0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512 956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

MD5 8c4f4eb73490ca2445d8577cf4bb3c81
SHA1 0f7d1914b7aeabdb1f1e4caedd344878f48be075
SHA256 85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5
SHA512 65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

MD5 831270ac3db358cdbef5535b0b3a44e6
SHA1 c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256 a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512 f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

MD5 a24fbb149eddf7a0fe981bd06a4c5051
SHA1 fce5bb381a0c449efad3d01bbd02c78743c45093
SHA256 5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d
SHA512 1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 3b0e91f9bb6c1f38f7b058c91300e582
SHA1 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA256 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512 a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE

MD5 92ee5c55aca684cd07ed37b62348cd4e
SHA1 6534d1bc8552659f19bcc0faaa273af54a7ae54b
SHA256 bee98e2150e02ad6259184a35e02e75df96291960032b3085535fb0f1f282531
SHA512 fc9f4569a5f3de81d6a490f0fff4765698cdc891933979a3ce661a6291b606630a0c2b15647fc661109fcea466c7a78552b9cfbca6c5b2079ea1632a9f1b6e22

C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE

MD5 7a4edc8fb7114d0ea3fdce1ea05b0d81
SHA1 02ecc30dbfab67b623530ec04220f87b312b9f6b
SHA256 ff16fdc703e55ddfe5ee867f343f3b20b496e7199c6c4b646335a01026f74550
SHA512 39519685b1dd872008abfa967f79fd3b7a5e6f6ee1b9c3de891aae64490b2d0feb56bcd3f5dab4527d2c6d07646db5966028df153f38a1c09ee88a1ba9a1ef44

C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE

MD5 25b9301a6557a958b0a64752342be27d
SHA1 0887e1a9389a711ef8b82da8e53d9a03901edebc
SHA256 5d916f7c7f6cb6cfd7545a57cb9c9d9c6df16af3517298c346901081a9135303
SHA512 985f6b2fcac2f0425a1a339a55616012879a393caa747412d04c1ee4de3b12aff2cc051860066d84ecbeae335eaa5116ccb8a02090a2674eded367378c56b1ab

C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE

MD5 5d2fd8de43da81187b030d6357ab75ce
SHA1 327122ef6afaffc61a86193fbe3d1cbabb75407e
SHA256 4d117648525a468532da011f0fc051e49bf472bbcb3e9c4696955bd398b9205f
SHA512 9f7470978346746b4e3366f9a6b277aa747cc45f13d36886fc16303221565d23348195b72ac25f7b1711789cd7cb925d7ceea91e384ef4f904a4e49b4e06d9b2

C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE

MD5 44623cc33b1bd689381de8fe6bcd90d1
SHA1 187d4f8795c6f87dd402802723e4611bf1d8089e
SHA256 380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba
SHA512 19002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082

C:\PROGRA~2\MICROS~1\Office14\misc.exe

MD5 02e02577a83a1856dc838f9e2f24e8d2
SHA1 2ab44e2072a3598fc7092b2ccb9aff3a2c5d4ced
SHA256 3b6ca9d9fcbb0c1677fe4caeef03e4db326f70166f030b5f9fa9f2856031d4fc
SHA512 a95d454a4f9e5271bc52e6c245c7840a92b8331b84260b2556432ac66dd07bec1b2c3dcf41282d6d8ae581a152f3147e75dc673ce0c7ecbb653dcc61bc1d1bd8

C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE

MD5 33cb3cf0d9917a68f54802460cbbc452
SHA1 4f2e4447fabee92be16806f33983bb71e921792b
SHA256 1230b2032d2d35a55cd86d1215eb38fa18bcf590c3c19b9ac4dda5350c24e10a
SHA512 851f0a098020cb1da3f5f48febce3b9eaef3b885df9134b3fb6b364f3a7572a8c516456710a15f66f0a44eff59cfa50f2dc8bb5d274e5c093294b2ea96fd49cb

C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE

MD5 8acc19705a625e2d4fa8b65214d7070a
SHA1 ad16e49369c76c6826a18d136bf9618e8e99ec12
SHA256 3fb179a3ae88a3d14db48de29d4b9d43243b80b2118b578b8117ad776ce47f12
SHA512 92e22275194b5a73d825e1e7ad5a5cb5649d3679f545f88328aa72e39c161c4d797b7b3462e590edf546ddbd53c1508a49056f50fa63b113134e1bdc7d977dec

C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE

MD5 06ac9f5e8fd5694c759dc59d8a34ee86
SHA1 a29068d521488a0b8e8fc75bc0a2d1778264596b
SHA256 ab6a5bfc12229c116033183db646125573989dfc2fc076e63e248b1b82f6751d
SHA512 597dfd9cb82acc8f3033f2215df7138f04445f5826054528242e99e273f9cc4a7a956c75f280e6145fcdb22824a1f258246e22637de56a66dcae72ac2c1d14fe

C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE

MD5 56f047ff489e52768039ce7017bdc06e
SHA1 3f249d6a9e79c2706ed2e0e12f7e76ebd5e568fc
SHA256 62d6c979d708efe21c9618a18232fd2c74e85bb9560daa298025ab9af784202d
SHA512 a2eae7eae6548d325480560dcca83283a022f00f7d9bd19c0ae801a7acec133a33c5c5eb79432d47c8258d153cadea988217845d58eb4e8aa8070a068befe5e8

C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE

MD5 4f8fc8dc93d8171d0980edc8ad833b12
SHA1 dc2493a4d3a7cb460baed69edec4a89365dc401f
SHA256 1505f3721dd3d7062dadde1633d17e4ee80caf29fd5b6aa6e6a0c481324ffd4e
SHA512 bdc3f83d7428418516daf23a9c2d00571cbaa3755391dfd8c500b6df7f621a67ad8e27775bcdaa20b159cd77d08bcdaf81a0cb7fffdd812978888d43512113a6

C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe

MD5 b1e0da67a985533914394e6b8ac58205
SHA1 5a65e6076f592f9ea03af582d19d2407351ba6b6
SHA256 67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f
SHA512 188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE

MD5 71509f22e82a9f371295b0e6cf4a79bb
SHA1 c7eefb4b59f87e9a0086ea80962070afb68e1d27
SHA256 f9837240f5913bfa289ac2b5da2ba0ba24f60249d6f7e23db8a78bb10c3c7722
SHA512 3ea6347bbb1288335ac34ee7c3006af746ca9baccfbc688d85a5ca86b09d3e456047239c0859e8dd2cdc22d254897fccd0919f00826e9665fd735cfb7c1554e7

C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE

MD5 685db5d235444f435b5b47a5551e0204
SHA1 99689188f71829cc9c4542761a62ee4946c031ff
SHA256 fde30bfdd34c7187d02eabe49f2386b4661321534b50032a838b179a21737411
SHA512 a06d711574fbe32f07d20e1d82b7664addd664bf4a7ee07a8f98889172afe3653f324b5915968950b18e76bbfc5217a29704057fd0676611629aa9eb888af54a

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 f7c714dbf8e08ca2ed1a2bfb8ca97668
SHA1 cc78bf232157f98b68b8d81327f9f826dabb18ab
SHA256 fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899
SHA512 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 25e165d6a9c6c0c77ee1f94c9e58754b
SHA1 9b614c1280c75d058508bba2a468f376444b10c1
SHA256 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217
SHA512 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 e5589ec1e4edb74cc7facdaac2acabfd
SHA1 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA256 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512 f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

MD5 96a14f39834c93363eebf40ae941242c
SHA1 5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc
SHA256 8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a
SHA512 fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

MD5 5da33a7b7941c4e76208ee7cddec8e0b
SHA1 cdd2e7b9b0e4be68417d4618e20a8283887c489c
SHA256 531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751
SHA512 977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 46e43f94482a27df61e1df44d764826b
SHA1 8b4eab017e85f8103c60932c5efe8dff12dc5429
SHA256 dc6658dec5bf89f65f2d4b9bdb27634bac0bf5354c792bc8970a2b39f535facd
SHA512 ce5bdd3f9a2394ffda83c93fc5604d972f90bd72e6aded357bdf27a2b21a0469f6ac71ce40d9fb4ed8c845468c4171a3c5b4501edbae79447c4f4e08342d4560

C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe

MD5 467aee41a63b9936ce9c5cbb3fa502cd
SHA1 19403cac6a199f6cd77fc5ac4a6737a9a9782dc8
SHA256 99e5bea5f632ef4af76e4e5108486d5e99386c3d451b983bcd3ad2a49cc04039
SHA512 00c9ccdbbd6fd1be0c2dafd485d811be9bf2076d4efeabc256179befd92679b964e80edcb90ef21f3e874578fdb0003878227f560ca76498865770280f87113e

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe

MD5 034978c5262186b14fd7a2892e30b1cf
SHA1 237397dd3b97c762522542c57c85c3ff96646ba8
SHA256 159776d43dd2a8d843b82ece0faf469f9088a625d474ce4eea9db59d94a844e6
SHA512 d216e757616121d9902b0db2669b6e2aa9eb2697427c9ea2804ebda9690abbf9219c6e603d63ff19dc6115a072985ca862499b5f8319ca057a16e81aec9ea949

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe

MD5 60f6a975a53a542fd1f6e617f3906d86
SHA1 2be1ae6fffb3045fd67ed028fe6b22e235a3d089
SHA256 be23688697af7b859d62519807414565308e79a6ecac221350cd502d6bf54733
SHA512 360872d256ef91ea3debfb9b3efa22ee80859af9df29e0687c8e1b3c386d88ff1dc5635b86e714fbf1a7d4d6bc3d791efa31a9d9d13e0f79547b631bddb5108d

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

MD5 da31170e6de3cf8bd6cf7346d9ef5235
SHA1 e2c9602f5c7778f9614672884638efd5dd2aee92
SHA256 7737ab500cbbd5d507881d481eef9bd91cf6650bf8d2b41b47b1a8c5f2789858
SHA512 2759d938d6ad963e0bf63481a700f7c503d06011a60bcfc1071b511e38afa87d903deb36f9cbfa0b3fd08f1ecb88d2c0bddf0d3b5f2dea2a0cca1a80471669f3

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

MD5 12a5d7cade13ae01baddf73609f8fbe9
SHA1 34e425f4a21db8d7902a78107d29aec1bde41e06
SHA256 94e8ea2ed536484492d746f6f5808192cb81ae3c35f55d60826a2db64a254dd5
SHA512 a240f5c59226749792cfb9fbd76b086d2544a493b834a72c0bfd8b076ed753ec8876ff056fc35f63f5497183d985f8f8c5c7b6abbcad70981f1ec83af1b3bd76

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

MD5 3f67da7e800cd5b4af2283a9d74d2808
SHA1 f9288d052b20a9f4527e5a0f87f4249f5e4440f7
SHA256 31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711
SHA512 6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

MD5 28f7305b74e1d71409fec722d940d17a
SHA1 4c64e1ceb723f90da09e1a11e677d01fc8118677
SHA256 706db4d832abdf4907a1386b917e553315660a59bfb4c180e38215b4a606d896
SHA512 117de88d0bc437023ca2f1f54b1f2cf03b00c8cb52e4b728cabcb3140659c67cdb6d2c203d3ca13767312831c6308622dfa65d6c5361ec28aaf4ec0870f9ba6e

memory/2980-233-0x0000000000400000-0x000000000041B000-memory.dmp

memory/592-234-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2744-235-0x000007FEF51F3000-0x000007FEF51F4000-memory.dmp

memory/2980-236-0x0000000000400000-0x000000000041B000-memory.dmp

memory/592-237-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2980-238-0x0000000000400000-0x000000000041B000-memory.dmp

memory/592-239-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2980-240-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2980-242-0x0000000000400000-0x000000000041B000-memory.dmp

memory/592-244-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 c0b10143454d77739a368e04e0f35df5
SHA1 f3af68a474210444d81d85902d20e1b358dee3cf
SHA256 2917e6960136a725e02b583e48084f2d01e6f067b0e0c48a903cb9e87cbcc084
SHA512 d7a195e2a204bb8735770e8b69ecaadd209b59f0f80548f19294301cc11b7f4e8b818d0fe4075faed3cc6012654afb0447057867bb4d2e96311bc9474ed6c01b

memory/1300-250-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1588-256-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2864-262-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U8S7MUEUDYACI3GNDGV8.temp

MD5 9a225a1f37e694527d06960b781dc74d
SHA1 fe20974981225cd9d562fce404bcf0ad36a90b6f
SHA256 0a15d2798ca4f47c5e6503ff93b19df728ddc7874910853e65524b1c95c468c2
SHA512 0a95815bf0b444f58bc0cf91924ff9c2d691f59672269126f9ad6c2f37ea1175bfe709cc65535c2bcd48b8ce88a0e375abc1e3d53ef8958c4d9c7be4e13c44d0

C:\Windows\directx.sys

MD5 0c990affde0d001b607d6fe0983ac629
SHA1 64c90738879adf86e38214c153b2eb56ff0a72b3
SHA256 d9c9ab1b0a993b6953ce5da366d72578d9e643603a161684cb1b9a7187c1c519
SHA512 1dc49b832463dde3cbe19067a0041e919e4206a6d0fe7ac30a525a0746c8dcddcc1fb5df585e083f963a7e877985e33d893b89fc064be7f33ba5de99b73d9813

memory/2836-283-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2744-285-0x000000001D3C0000-0x000000001D710000-memory.dmp

memory/2492-286-0x00000000013D0000-0x00000000013E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 08:08

Reported

2024-05-27 08:11

Platform

win10v2004-20240226-en

Max time kernel

60s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kdmapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\ProgramData\kdmapper.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\kdmapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedgewebview2.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_click_helper.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_helper.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_pwa_launcher.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_click_helper.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\PROGRA~1\MOZILL~1\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\ProgramData\kdmapper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\PROGRA~1\MOZILL~1\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\kdmapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\PROGRA~1\MOZILL~1\firefox.exe N/A
N/A N/A C:\PROGRA~1\MOZILL~1\firefox.exe N/A
N/A N/A C:\PROGRA~1\MOZILL~1\firefox.exe N/A
N/A N/A C:\PROGRA~1\MOZILL~1\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\PROGRA~1\MOZILL~1\firefox.exe N/A
N/A N/A C:\PROGRA~1\MOZILL~1\firefox.exe N/A
N/A N/A C:\PROGRA~1\MOZILL~1\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\PROGRA~1\MOZILL~1\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\ProgramData\kdmapper.exe
PID 4656 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\ProgramData\kdmapper.exe
PID 4656 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe
PID 4656 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe
PID 4656 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\kdmapper.exe C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe
PID 1504 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe
PID 1504 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe
PID 1504 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe
PID 2892 wrote to memory of 1196 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2892 wrote to memory of 1196 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 2892 wrote to memory of 1196 N/A C:\ProgramData\kdmapper.exe C:\Windows\svchost.com
PID 1196 wrote to memory of 1704 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 1704 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 1704 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3204 wrote to memory of 3284 N/A C:\Windows\svchost.com C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3204 wrote to memory of 3284 N/A C:\Windows\svchost.com C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3284 wrote to memory of 4508 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3284 wrote to memory of 4508 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3284 wrote to memory of 4508 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3284 wrote to memory of 4508 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3284 wrote to memory of 4508 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3284 wrote to memory of 4508 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3284 wrote to memory of 4508 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3284 wrote to memory of 4508 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3284 wrote to memory of 4508 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3284 wrote to memory of 4508 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 3284 wrote to memory of 4508 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2140 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2140 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe
PID 4508 wrote to memory of 2752 N/A C:\PROGRA~1\MOZILL~1\firefox.exe C:\PROGRA~1\MOZILL~1\firefox.exe

Processes

C:\Users\Admin\AppData\Local\Temp\kdmapper.exe

"C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"

C:\ProgramData\kdmapper.exe

"C:\ProgramData\kdmapper.exe"

C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe

"C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\kdmapper.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\kdmapper.exe'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\PROGRA~1\MOZILL~1\firefox.exe"

C:\PROGRA~1\MOZILL~1\firefox.exe

C:\PROGRA~1\MOZILL~1\firefox.exe

C:\PROGRA~1\MOZILL~1\firefox.exe

C:\PROGRA~1\MOZILL~1\firefox.exe

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="4508.0.255991882\2127461366" -parentBuildID 20221007134813 -prefsHandle 1748 -prefMapHandle 1736 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {c7e8b1ab-ddf5-4074-bd49-c41ac306a6dc} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 1840 2112a4d6c58 gpu

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="4508.1.1700625511\590663014" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20843 -prefMapSize 233444 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {53d8a2d9-6743-41f1-a62c-5f1ea4b3f1c8} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 2300 21117771858 socket

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="4508.2.1701788378\2094492103" -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 2920 -prefsLen 20881 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {373c7a75-140d-4646-b653-b058927921de} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 3028 2112e0b5d58 tab

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd379d9758,0x7ffd379d9768,0x7ffd379d9778

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="4508.3.1449844411\1355515066" -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 3720 -prefsLen 26124 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {5252d300-3292-4354-a8cc-e484a7c8e2b8} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 3736 2111775fd58 tab

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="4508.4.1499587364\1967015519" -childID 3 -isForBrowser -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 26124 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {504c4fbf-c80b-4ecc-801f-ac7d665ba413} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 4012 2112fa77358 tab

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1956,i,9041691410585586773,7230608052510680048,131072 /prefetch:2

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1956,i,9041691410585586773,7230608052510680048,131072 /prefetch:8

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1956,i,9041691410585586773,7230608052510680048,131072 /prefetch:8

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1956,i,9041691410585586773,7230608052510680048,131072 /prefetch:1

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1956,i,9041691410585586773,7230608052510680048,131072 /prefetch:1

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="4508.5.628664560\1385367138" -childID 4 -isForBrowser -prefsHandle 2632 -prefMapHandle 4744 -prefsLen 26638 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {6750cf93-e68b-4fc7-bf6d-3b900bf7790f} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 3680 21117763458 tab

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="4508.6.1466962419\1313968049" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 1268 -prefsLen 26638 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {34c61646-a6ba-4385-8b6d-998e0c858033} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5144 21117764058 tab

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="4508.7.2147300418\1225378441" -childID 6 -isForBrowser -prefsHandle 5368 -prefMapHandle 5144 -prefsLen 26638 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {d9efe4d7-4768-4671-815d-51d98c32b1c0} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5360 2112d064758 tab

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="4508.8.1275670088\1744670531" -childID 7 -isForBrowser -prefsHandle 5336 -prefMapHandle 5340 -prefsLen 26638 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {a90c5e0d-7b71-4d12-bded-ceb37a817940} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5560 2112e1ace58 tab

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xa4,0x108,0x7ffd379d9758,0x7ffd379d9768,0x7ffd379d9778

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:2

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:8

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:8

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:1

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:1

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:1

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4404 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:8

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4712 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:8

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:8

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:8

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5056 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:1

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4376 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:1

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4676 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:1

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:8

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:8

C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe

"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5336 --field-trial-handle=2000,i,16385817578952851518,202468111676015540,131072 /prefetch:1

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
N/A 127.0.0.1:50117 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 44.237.98.207:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 207.98.237.44.in-addr.arpa udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 131.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
FR 142.250.178.142:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.174:443 play.google.com tcp
US 8.8.8.8:53 142.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 174.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 encrypted-tbn2.gstatic.com udp
FR 172.217.20.206:443 encrypted-tbn2.gstatic.com tcp
US 8.8.8.8:53 206.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 x64dbg.com udp
US 185.199.108.153:443 x64dbg.com tcp
US 185.199.108.153:443 x64dbg.com tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 153.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 ajax.googleapis.com udp
FR 142.250.74.234:443 ajax.googleapis.com tcp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 234.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.215.58.216.in-addr.arpa udp
FR 172.217.20.174:443 play.google.com udp
N/A 127.0.0.1:50385 tcp
US 8.8.8.8:53 snapshots.x64dbg.com udp
US 172.67.132.116:443 snapshots.x64dbg.com tcp
US 172.67.132.116:443 snapshots.x64dbg.com tcp
US 8.8.8.8:53 116.132.67.172.in-addr.arpa udp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 8.8.8.8:53 img.shields.io udp
US 172.67.173.89:443 img.shields.io tcp
US 172.67.173.89:443 img.shields.io tcp
US 172.67.173.89:443 img.shields.io tcp
US 172.67.173.89:443 img.shields.io tcp
US 172.67.173.89:443 img.shields.io tcp
US 172.67.173.89:443 img.shields.io tcp
US 8.8.8.8:53 sourceforge.net udp
US 104.18.13.149:80 sourceforge.net tcp
US 104.18.13.149:443 sourceforge.net tcp
US 8.8.8.8:53 89.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 72.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 149.13.18.104.in-addr.arpa udp
US 104.18.13.149:443 sourceforge.net udp
US 8.8.8.8:53 a.fsdn.com udp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 8.8.8.8:53 56.16.18.104.in-addr.arpa udp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 104.18.16.56:443 a.fsdn.com udp
US 8.8.8.8:53 c.sf-syn.com udp
US 104.18.5.227:443 c.sf-syn.com tcp
US 8.8.8.8:53 227.5.18.104.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 d.delivery.consentmanager.net udp
US 8.8.8.8:53 cdn.consentmanager.net udp
DE 87.230.98.76:443 d.delivery.consentmanager.net tcp
GB 195.181.164.20:443 cdn.consentmanager.net tcp
US 8.8.8.8:53 76.98.230.87.in-addr.arpa udp
US 8.8.8.8:53 20.164.181.195.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
FR 172.217.18.202:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 202.18.217.172.in-addr.arpa udp

Files

memory/4656-0-0x0000000074CA2000-0x0000000074CA3000-memory.dmp

memory/4656-1-0x0000000074CA0000-0x0000000075251000-memory.dmp

memory/4656-2-0x0000000074CA0000-0x0000000075251000-memory.dmp

C:\ProgramData\kdmapper.exe

MD5 1fb060973127af435a948361cba03b9e
SHA1 f861149e155e9bb3ef1f2f748874e884cde54cee
SHA256 194bee6ca7df1015b6b5c5296d04f711128a4ec2970bdab1bf621af758251949
SHA512 8d22e67d3200ab028822985e35c6314051b1dc0cab612e6917e326f0c75ad9d9a97af7f8146f70468026b5efcc5d09d4d1d9f89f34191cfed3179db1285e5eba

memory/2892-15-0x00007FFD3FBD3000-0x00007FFD3FBD5000-memory.dmp

memory/2892-16-0x00000000003E0000-0x00000000003F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Keyauth-console-loader.exe

MD5 accad9cf663d5819ab171725c62de978
SHA1 6abf132629ebd01588f95e6e87422142145d2c21
SHA256 48ef492c2a7daed9b5fd95cbe3b567a6f75e123ae4d9afeafb0fa1d3784a9c0b
SHA512 4fc791d57b89c4792dba0820af337cea924747efa102952f46afa9ba25f42360836146a9cd7285104657bb4756dfba77856f71e20290cf2f6202a1032ac416da

memory/4656-26-0x0000000074CA0000-0x0000000075251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\Keyauth-console-loader.exe

MD5 c6468039d2d2d29d67da192c4b93fbce
SHA1 6c295a9bff97d20fd8d1e7bd0306047965c03c27
SHA256 574ffc78000ac5e306858cead0d0669ecc3c0bd2541001bab1d2f5c46e9d74e7
SHA512 5777425adec2b763f3535dce5963422b986fb2ec25517f326b99956ffe5970a477f05cb1009f1fd54da2890ab26e79687bcf05efacb8f8a06a2bc0400b228be9

memory/3944-39-0x0000000000920000-0x000000000093C000-memory.dmp

memory/3944-40-0x0000000002DC0000-0x0000000002DD2000-memory.dmp

memory/2892-41-0x00007FFD3FBD0000-0x00007FFD40691000-memory.dmp

C:\Windows\svchost.com

MD5 c23ae27db3868ed615e2fb10aad9c430
SHA1 2ae4f18703f36e3e484da9a14cf557a2f2c83d8d
SHA256 a61dd97cf9eed6d01cd393a00f9cecc33368bd5a04ccbbb74ddcb37b984ebcec
SHA512 4504277050aec35a50476148de71c88fbb1b520bd8c2e8c79e30e7dd6b1f5d41889b9f35adc9bf3c4fdbcba0652e02a4deb9fba608874a3f5d8c0637cbb8adef

C:\odt\OFFICE~1.EXE

MD5 02c3d242fe142b0eabec69211b34bc55
SHA1 ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA256 2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA512 0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

memory/3944-50-0x0000000005BA0000-0x0000000005BDC000-memory.dmp

memory/1704-53-0x0000000005520000-0x0000000005556000-memory.dmp

memory/1704-54-0x0000000005D00000-0x0000000006328000-memory.dmp

memory/1704-55-0x0000000005A40000-0x0000000005A62000-memory.dmp

memory/1704-56-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/1704-57-0x0000000005B50000-0x0000000005BB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5uvosb4k.zin.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1704-67-0x0000000006330000-0x0000000006684000-memory.dmp

memory/1704-68-0x0000000006970000-0x000000000698E000-memory.dmp

memory/1704-69-0x0000000006EB0000-0x0000000006EFC000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 576410de51e63c3b5442540c8fdacbee
SHA1 8de673b679e0fee6e460cbf4f21ab728e41e0973
SHA256 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512 f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

memory/1504-91-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1704-92-0x0000000007B40000-0x0000000007B72000-memory.dmp

memory/1704-93-0x000000006F6D0000-0x000000006F71C000-memory.dmp

memory/1704-103-0x0000000006F00000-0x0000000006F1E000-memory.dmp

memory/1704-104-0x0000000007B80000-0x0000000007C23000-memory.dmp

memory/1704-105-0x00000000082F0000-0x000000000896A000-memory.dmp

memory/1704-106-0x0000000007C90000-0x0000000007CAA000-memory.dmp

memory/1704-107-0x0000000007D00000-0x0000000007D0A000-memory.dmp

memory/1196-110-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 3ad3461ef1d630f38ed3749838bbedc3
SHA1 8d85b0b392ae75c5d0b004ee9cf5a7b80b1b79e6
SHA256 32be2bca2b848da78c02140a288f1bb771cb66757f90d20126b1bcfd5bb40e62
SHA512 0e95e5181eab14d5820a3a4952018ac9b290fa3b17add8a5e13d893052f1d2a90a2323c62843f6a9e9af00f27e00108b60e0bce2f848e0a4d8ce0cce153db1ba

memory/1704-119-0x0000000007F00000-0x0000000007F96000-memory.dmp

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

MD5 fbbde1cc9128fff8bdffd792e6ea8cce
SHA1 480368754e21ff97ded1f55f736c1427bb388ca3
SHA256 c26681e4c77fac521ec4ba461e34bbe17bdf566af7c004c96e30b8fc785af73c
SHA512 2ecb93ddb1f58e0f3b845e80c76b706b0adc4ab30220eda837cdf13723a730f725e97f81d2f76ef8e0148703ba8e0d4dd57a03f303d09fee78bed0bd5a0ff274

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

MD5 2fbf8e73fc690c57c64459cb4c349ddb
SHA1 1038053aff4e542a8dbb77fc4d100fe083493e50
SHA256 408ad7354171bc8d51846bbe8238e8fbd6a5bf9b0b12b3f55b43f61e03371bf2
SHA512 7e29b6ae75865dc9e7004665f6c90513e5b8f593509cbd209f523ea5602ea9e242ef1fee867f8d293781a51fa816d502456bbe97414de2e7ecbc6f6f640a49fc

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

MD5 927c75ca98552179273baebb2038b44e
SHA1 e85f3a6b2f25c344a76306579a488ee3a757a1cf
SHA256 625a894f316118bcb6b291fcfe0d35b3bf0204285999885eb5b489bf1bd8581f
SHA512 55b0498c69568b3ef45a5ea22dbccb582b45e969678339b66264ab2186416ff373a3cef4c13b4ec06fe18dca575e7d54ba20a0645c3c54816882fd3d51c48bfc

memory/1704-133-0x0000000007E80000-0x0000000007E91000-memory.dmp

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 25e165d6a9c6c0c77ee1f94c9e58754b
SHA1 9b614c1280c75d058508bba2a468f376444b10c1
SHA256 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217
SHA512 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 7f95b64464c4f07e1e8b7d88caf978e8
SHA1 3204fa9f8595fbc2cfbc5ef9a50fdaa96ef4e4bd
SHA256 b4cd6fbeea92190d5bc778d2614a0eee43ac046a8f076ea516ebb91b90ada7b8
SHA512 7efb1ac2fab724dfb77f1bf47f3cf44bb239f337f19caebe417daa04bbea2b9d34e3903194696183ee87fa3575f7d8a40a017a0139a8c3bee377abdc55690d13

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 6a57dc8a285dc9738c88e78fba506d22
SHA1 6c7fbb72d162b60ae27df884aa379c9e41ecbf9d
SHA256 b3c0c2c2eba96fb385979636c2593d7322ef3d72a6d67cad4bb9ef64f7eb4699
SHA512 4d559ded8758ce92b4f2bb7ad819873aa6fcb4f351e1aec820d49ba87cb840a593f9c6dca6f5244bbe4748b9f1c623e981ba0e77ad57e1364a1876f6fc3a88f1

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exe

MD5 a4c554903ffddf2c66eca876c614a75d
SHA1 cc789ac39fea72c579a5ec64970d2b6cc9daeac1
SHA256 09f2820a2ee73dc9ee5288fd25b3cde313e400f99f730464a31b71cfdbbd7f31
SHA512 d1feb67afcbacc1cb8c76c8774687546ab9ac6c0962ca62a8059a2b04b7332e9a0d8575ef37f9887a367b3f4f47b4bd5ea9010f754fdf0049498a58ba9fee088

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe

MD5 1cae3b29628f35e661eab78f1c8b4a99
SHA1 97fb011f97340a0687204a2f35e0e7e85112c97f
SHA256 643df72069bacb87065bfa4a0b552c97655c9497aeadea96e48e3d5df10cf3b0
SHA512 30924f452425afe598f4f21d59433c05c4bd217bf313363c22be4e9d23e712f96cef905a2411cdbf23da08b3f8d61e20f127fd4d2ab3aab35483f46b4e32759b

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_pwa_launcher.exe

MD5 037eb09ec7455bed1c2cc12ead01b246
SHA1 821ca5516402d68a0e6aa8d807abb2f3e2a78554
SHA256 fe404e589880c9a7065f3e2cfcfa4675953dccc5250f26715f29986d7580d924
SHA512 bfae4a3f1ef8a8036e5c3c7700796bb2e5b534fd602a2ed9f209e0974b111ace42f7f82683388f2fdefbf7939bc504b57901af0cc881b2e06c74036bf802760b

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\COOKIE~1.EXE

MD5 fe0269e24575d8a8590185540f7b4f6c
SHA1 e133f0f269ac97b93caf93fe6f7ecf55e929cef1
SHA256 1b3d321b505dd2f13e8b669f554b31e6e00f5a5ab4f98160a8f7a0dd96c3b9fa
SHA512 b30ce7aad664d2ad7ad9ff046e16a80bbf13caa70c981c12ee164f45f570b7e2013dacb630d6341ee67d4821519a9c33277f2801ad87521329b984e66873e6c0

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\ELEVAT~1.EXE

MD5 f31b25bb1e8bd429892a63eaac0bce5d
SHA1 f007774635ef84623a7b4e0c892a8ee14c4b6221
SHA256 35e16cb335e2e73dc5a8ea0117598cebc98aa2e3550b32a4fb2b3d1f60be17d9
SHA512 f9515824dc4de6968903471bcc842e97acc30489d2054357c61098af190aae30ec7027c5e99aa9da1f527d53cddc209dd793db937e69f316ba1c9206884dff0a

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\BHO\IE_TO_~1.EXE

MD5 46bda7f4ac4ec1457af4aceec4b0951e
SHA1 9038a90a2b4f6363fd20dc45984405e1d1e2a2d6
SHA256 5eb1cd925ce4a5c5dd035a0de64bb7249303e53d1efff96ea510b0930470524f
SHA512 36e917760e250ad7550b73b20471c5c8264a6ab12984e95d4bba1f3f15602aa8ac1acbb0af3fa8fbd9aba80f002eeb444d1fb49a6d64b720e5368a7a8ce58465

C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE

MD5 147b5ade315673b925bdd21eba5d9732
SHA1 212b9882f166b187ef578298ee4bfdd174529115
SHA256 d49c72831f1b505b1846b23c3bf836219e27ea69e8fd43e8e4ca3ead7601252b
SHA512 7bb8186c67a20471d54fd37f3db55edaf86cdb34861359df092e1251ccadb80e2a71197304d192ccb5df0111676017be6823fd85617fefcb366ac405878caab0

C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE

MD5 9cb564e5c608e17b8586921f4039d2b5
SHA1 b3299501284574831e929c689b28fa1a2eaf2918
SHA256 9695a654513e4054bcc4304ca1143f4a443ad29927a9a93850cd9bfdae00a23e
SHA512 0c2c833afa033e13fd7d6e77df4ad0ccf81d39501e68efca8425130a69e310de3f5adf5298cb0c4b78c6ee2bdf711270f7d29ff8eaf212cfcad05ea39c2d7323

C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE

MD5 0f087e158950e3f1d665448e3336bf19
SHA1 0e2ce75f02bbfe87b0837651e3e027075190be34
SHA256 32de49b2fe1b519af7ab9b31986f3fab62718e2235c4e50d60be83b6ac25b9fb
SHA512 5fce7ac2e152e110eab3ee775e077f85b21f55681934c5a86fe35c765882ad8309a494ca541efc7f3cfd4f6f565420626319521e3a96df489568727d2117ce10

C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE

MD5 4cffb68680511742ad8a15d3c261387c
SHA1 754153050f13c2e54713b7be3c939a0d04cc87e2
SHA256 9700b052d9424d6397e8c0da2274b5bdd9c49a5b6943def938481a0b9a05aa60
SHA512 edeaa427cdc0c2a18c679ced0cc6ddfcd6e619fbe344b86486ea6ad8f3b93cf874a1055b9260159108a9698acdaa11ea82e6fac91938886f670c66dad6f52981

C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE

MD5 9a91d53f0dc073ae102fcb107e1cab49
SHA1 081d577751e2ef831cae482a2dfcb071b8d33121
SHA256 a0aa8127c0c49516d7229f55e26e20269127e2b6bcfcf8d39b067c96208f61ba
SHA512 44bd2eac46a1b19a5df0c8df4c1d9b12f591eb0f556df6f0ac872e2b87f4176af65c6954805c65021b8668d567b940d47060064d4ba38983840f9f06b2e5df14

C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE

MD5 247348036dbe419034c3289f577ec6ea
SHA1 6adfd450bd84a629c612c7a2f8b2a613afb49245
SHA256 29af76a6a5c935cae799cba744b4604da06d69f30e272a873f15ecfd57043b1d
SHA512 1c8c636f9a1c3c0e4f92ef026f9509fd29d696823bb1c7086b877f6f32663c2c42a83ea51c9751192cae331ad25733b417030dba81654fd747903cc3eae11025

C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE

MD5 9a4c4a24d3fb6b6c731cd3b4d750336c
SHA1 cf2c5968b62ce3afb3c5cc56b0e1f6b9982590e4
SHA256 7e08ef2506ca12f42eb5c640a3b69d096e8a91be924f4c81f2841c2532640d65
SHA512 616fdf320f979c4b34f6790e4aa6228e29e7f1bf0e232597e81c57252b5b2aefa4664cf59f0f2cfefdd281ee5846f5f465b9cc81ff9c14c665e03cfbc7536726

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\PWAHEL~1.EXE

MD5 6aa892c7d9621d5388526f832195fc0f
SHA1 9f77f2fe1166734a4eda02222b5ec080091b68c9
SHA256 e5f38ea31c0d27d3d0435d4f19e3da0e023a9fa94bf611d5d522b72d9a2b3b66
SHA512 6bf56ce59afcf84265cd757ff99b8d664361f0f23d521386b0092b1574d34eb619184c6f8925b57fa0b94f5edf30453d6cec3b39273f8735cfe1835961ac0e3c

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\NOTIFI~1.EXE

MD5 9265ab18f47b9624d04a7bcc4794cd89
SHA1 4589d080807701f5a4813326a1b72d62e71d2880
SHA256 0cb11ab79f1810b4589f2a28a12dee99c8c913428b6c6e497123800e2134ec3c
SHA512 aa7870c60af1a278e78569c487950f6b9868b4941a25783fad63ea4bc07ba2959a8bb1b2242fc492a2ec85df610dcfcda08013501a2dd9fd9b8dcd728c0d5ead

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\MSEDGE~2.EXE

MD5 7f88f3f90ac64568f91d7886f56ff0b6
SHA1 2ef4a4496c09928a09da0af641e3c092ade4f03b
SHA256 1dc1ebb5939a050cd9eff7b7011afbf877cb33f21950fff127d7481f3e9d38b2
SHA512 412345a84eeffd2ddd1bd66230d4eef5fa29e35891a4b5f329626f4b557fb2fc972f05f131b8c4c94c8296c774545b288da7ba2fda93e6654733a03d247f33e3

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\MSEDGE~1.EXE

MD5 a4b214a072e3b243c4ebc478e6eb36a7
SHA1 03d0e04d345971141a1cd5f56e31e7f8480974f7
SHA256 77411e2933273fb7b04fd0dec90ea0a620b2293b6fbdbd5c29afa0cd7536fa51
SHA512 e32edd286477a52cbeaea9a0d20c49328bf78e86698620cee8c6900b672c0cc7feed5d2a5426770e9c2c70fe2a339814db4468d9fc960070e61e928ca3866a8d

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\msedge.exe

MD5 5d756a0168c787760258a53087193fcd
SHA1 3a1190370ec84df9cbc2d0b8dc2c3c040268e667
SHA256 4dcb3cc3b7e87ea4fdfe524d5d24a32eab1f87f1d477620879edbf8ac99c25d8
SHA512 213c39edbce4602f5e2882ba39d59ab51552b5e1c384c5e274addf3ddaafecd50fd9763a888fac7b406f136dcca63ca29a696ba407ae5e1e0446bee95ad24af4

C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE

MD5 82ff4ff2a82092323145a1e2681ec337
SHA1 26c4d69e0cfba7e972b693b9f60adad8ef8f72a3
SHA256 10b0b2097e86b216f43d1747fa3390ca5bf1e219dfc5a3d777f2347056684dfd
SHA512 ed95243cac1c090fc5ebbe290f0b1a08353500f4a129e63523e27f3d2fab1ed9ac2aec7a9af442b8124ce1fcd045a327a85e324659af1e9d2a41323790f5461f

C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE

MD5 f34835c1f458f93cd9041bfa7d01ee7d
SHA1 283ac4059492a22e10f7fcef219e52e0400a8926
SHA256 afc5cc567db1a3318c89dd0efad2ca60a353290bc25d98bbbba8e6f1492e23b1
SHA512 d5cc2244f1b6492dd9e66c6e917c2dfaa11376d4a8d1dea2c241cd35ce947ad919e47d1a78dea0c1f6cd6fa1e74426f806ddcf9ed3e8f25a9ae7c370b09e6857

memory/1504-224-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE

MD5 f3228c24035b3f54f78bb4fd11c36aeb
SHA1 2fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb
SHA256 d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7
SHA512 b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe

MD5 e25ffbddf046809226ea738583fd29f9
SHA1 ebda60d1f49cd1c2559d6c0f0a760dac7f38ce98
SHA256 91630469f3d18ebf1be43522b6dcb6547c3b67ab7a17a246e1b2122628dfcd80
SHA512 4417cba81c77c2a60e448b69dc615574ed4862fd97af014ebdf3ffbdde8a6c9bc32aca4881f59037f908a67b674d9e49b817fc1e6865e8f08e374f36baade101

C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

MD5 05bdfd8a3128ab14d96818f43ebe9c0e
SHA1 495cbbd020391e05d11c52aa23bdae7b89532eb7
SHA256 7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb
SHA512 8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

MD5 63dc05e27a0b43bf25f151751b481b8c
SHA1 b20321483dac62bce0aa0cef1d193d247747e189
SHA256 7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512 374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

MD5 9597098cfbc45fae685d9480d135ed13
SHA1 84401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA256 45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA512 16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

MD5 91490c78c45cbd686ac759b6a252e898
SHA1 51bb6c5aa14cf478b0b6fa0329c7366d1f6fb480
SHA256 47f3331b4f35012d38bc11cdeae0ff7b4ae1186d4e916e3e48a9440438296821
SHA512 f7d44cd6df2c0c492731c14ca27e26605e8cddb9cb9287bf083fe1e43f753cafa11c341f0915510ad1d189466e92bb3f4e219b3599e9df72878bde14518bee35

C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

MD5 f6636e7fd493f59a5511f08894bba153
SHA1 3618061817fdf1155acc0c99b7639b30e3b6936c
SHA256 61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33
SHA512 bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

C:\Users\ALLUSE~1\PACKAG~1\{FB050~1\WINDOW~1.EXE

MD5 443cfb6389cc0462180c83a6c84e2f50
SHA1 1be84e7fedb5b094808cf186d87d0128b6841cbc
SHA256 c640e656f0f715391b77c9c14cb60042daae6dbd8a22ddd0952c5d91a556c292
SHA512 18423c27e5e229e288ce8dd6e96bd33921c503ca491a20a6d81cd1b124ce7c0d56957e029ed9ba2c97042300353f37c7b78ac262c55697c556608ba1e2426896

C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

MD5 015caa1588f703bd73bc7cfe9386ffe4
SHA1 747bec0876a67c0242ff657d47d7c383254ea857
SHA256 e5c6463292e3013ef2eb211dad0dfa716671241affbd8bed5802a94f03950141
SHA512 1fb3b2fa422d635c71a8e7865714516b7de1c32e6286f8b975be71b17a9186fcac78852e9467b4751b4eab69cb6af30140772858a758596596d09d767d170aab

C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

MD5 413ec51a9880e79324c712c0548674c1
SHA1 032d114c78c8df6d98186eeffd9cba24589e93bb
SHA256 80eee8d364db4b281b1643a1a52a5dd1c334b4f20c2519c5e0ba7aa9a49c2bd7
SHA512 4a1f74751793c32729ebe1e01b8b79ffe1a812e6972a21c17a688f52ea828c9d179151026597cae202b3cc46ecd0909d78b47cba5b3e2dc954832cd378657555

memory/1196-246-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1504-247-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2892-248-0x00007FFD3FBD0000-0x00007FFD40691000-memory.dmp

C:\Windows\directx.sys

MD5 a04be9518db0884f6ef234537a09d182
SHA1 4fb9bff6b1711f333e0f17bf31628eaa3a5578b3
SHA256 b33200e2c157ba1d66f336dcc9cfb6afbeab553554f955aac5f9f522d69418f7
SHA512 230d35a520ab70a3c4e6b80d8d98b7dbd40fdd1573c5a5a34afa6800875594e56a2fdb4fb551299d6d4d5861fd044e9aa1c44c4a476f011404ed1d6217cbb108

memory/1196-260-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4508-262-0x0000021119420000-0x000002111A420000-memory.dmp

memory/3204-453-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2140-452-0x000001F6F7FA0000-0x000001F6F8FA0000-memory.dmp

memory/2752-510-0x0000021C99E00000-0x0000021C9AE00000-memory.dmp

memory/1504-552-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3672-648-0x0000023C59900000-0x0000023C5A900000-memory.dmp

C:\Windows\directx.sys

MD5 4f4d924d2584d145b5b6b9b4bad44fdb
SHA1 9ada6b02192a14219601e5f9d862dee7779083a4
SHA256 7293d0a3c14173bb9ca7f33ca33387b2e774980aadf6865ab315bc756d1f9432
SHA512 e0fb71d6c2f0d6cfa2647ebc3ba3aa7777c1a6f398da4d670a0853f26b0942590c00bd49f647a4ee6403b42fbba87f603dc12c047ab37b66dcecb40e39b08abf

memory/640-821-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

MD5 5f6e3d40d1c89cedd26ca73e78f6f04f
SHA1 9a91072d677f98c70d25acdac5cbdf3083bfab34
SHA256 0ca46bb37a14bbbfc758ff9f5d79efb7a14439a5d3bc05c29d09e333efe63042
SHA512 3c35e407fd1142ed5a2267989fae4f7ce0a559bcedaa9e22785555def1e2520f89be0f9f22e05bca1f3b4011937e4c207d3d9c8a148aa7b53c9eae839c0547bf

memory/5404-793-0x000001840EF10000-0x000001840FF10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 124a90b41f19ef3674a2d0d10883840f
SHA1 406e8691a59684e29aad1a1a00076bd4654869c1
SHA256 dbc86d92ae3d2a4ef97cd8c2aa9ec79393b7a775d72d82e317ce2746f91f52ea
SHA512 4dc1e57f4608293d4b76e0b941301ebcc661a0be3dfd2d82d9bcb4f585f345bf7aa2aebb0b1749801df8398d9ccc8fd29243419021c14a33642957c98b3362c0

memory/5592-951-0x000002796A340000-0x000002796B340000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\0294b89a-2e7f-467d-abc1-d5c7c61f6423

MD5 458a6d7cae5beea50782b5f0e3c02bd3
SHA1 e6dfb736d9090625ecc96e165e7c247f66f2e873
SHA256 4df5dfb8caeba04f49ddd374284af37b6e344ddb8fc3adf33d32f5e96c8b493f
SHA512 bbb157c91b534d07399bdf076a2ec1ef47b1050a81590f613eaf95a9cda360e6fad0b792355f95c831320a399b51ae8679f2c06d70f223e7511368d68ec71d13

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\867fbad5-f802-458c-baf1-088e4366e334

MD5 bd029f860a087ff9cf6109b9e849b80d
SHA1 364794adcc01e8dfb4eab1f459f7b0967dfcb624
SHA256 6136c01793eec0e74f6c7bf067a63b62bd0c35fc9b930ae15cfab8f16a6456d3
SHA512 eb010318dd4ff0d8c56490b45dd36a3f953d00eea8338ed5b99597a9be21f6de1a78560411cc916349a4f6193e12a53c0202c790a3cd5f46e9fd55a0966742e3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

MD5 404afdf964d3a751b14b16ef5b9a497b
SHA1 277fd4f7bec55a4400a18c2d427f6a7b336107ad
SHA256 86a4d9681327aecf8769ba8298742d1816a1b8720ac5518c66b7da8248daff7e
SHA512 2c9ea8d4d9c464ede48e33ba2f707c0df7d1044cf16be1220a36cb4f905b744bfa60c810bd4e64ebc8e3791d580e186d6ced8e4ed9cc851e40b0d3bc54c7a861

\??\pipe\crashpad_1980_GZGQZEGTWLDSMFSK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/6000-1486-0x00007FFD5D630000-0x00007FFD5D631000-memory.dmp

memory/1504-1591-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4508-1600-0x0000021119420000-0x00000211194D3000-memory.dmp

memory/1196-1599-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7adfee93f396a1fd530e878296b5f35f
SHA1 47cbab876304eedea26ee95ead4094058dc5f7d9
SHA256 672feb142b99821400b10beac7bc424e791ae9364446189895ae7135d06045bb
SHA512 854d2c4c220c9435b2636eb4c28174cc68b80e10ef05a5878f55681a0fa198c978e253f8c8c9c6801fb2d53ec6ae86d41aec396f04a0594b20b07f00954ceba6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c7c6e24899b73ba9bd29391a913e9c65
SHA1 89c21c0901aae6778dd6e3af16354e3fdfa3252f
SHA256 2ced1aef6b3cdd7021ccaa3a38bc844b5ac0aa966619d7c8e8d23176fcdac5ff
SHA512 b1fafcdeccc99e14ba4b3e26f619b975d84866ed499744153090f9f710f1e661b6ae511343ffa73c24bec7a2310dafaf536dcdbfbe84cbfe71a90d1dc02564d7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 03994b88bdc9e598d88f9273dfec8e0e
SHA1 9c4d73dc30e024c6884167494d36edc072a59cc6
SHA256 51f2123c825c0e1071fa87a6d9e6cf057b9829be2092ba1277681ce095dd270e
SHA512 17741d2e38e8a695c7b10ad67bf390d5ce515136ccf2e7445aa705d427c2f05213ce83cfa333651971759e49bebd2d70b3fd3535b17008328f69cf3a04c407a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9aaf4e4f4844bc39899336ced44b5593
SHA1 4edbfc7e11a26ae6c2c50930eaab8be6bc4a432e
SHA256 6ab79a7fe1caaf609704e1167b8e17358b9e5ec8933a8353648661440745fe57
SHA512 31957eb48592fb94733bbbecc7af26e2df2ef7b71dd7e1ba45c23771a4efb6b0090ddad5d8c7f75fc6324257f6eecf1f85046d703b96f22db5f91eb134ab0f17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

MD5 6a89b6ff8d3017a245c322892ede83d0
SHA1 b9c1da8b64bc143b4f837536f4ccb8fe4d8be4e5
SHA256 d0b3fb95c608086e374834bae772be676c8e2d1b5b2a26db050830570dfb49b6
SHA512 dd68b67daf133e538a686ba81b431ae94e4585224f56d9ab1c0953e301059fa32299c8ef2d88792c173d3c6796ff673cc3f851d10f5cf721b84a1f68fee0954a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a0f436b26953fcb2c38b3e51a92a4b4e
SHA1 6bbbb38209016034c6308fac8fc4273ae686de1f
SHA256 48820801c21832c7cd444be2e90e7d4ce1bbae99179b43be02c52d49e35bebea
SHA512 87629c7ae8a12870b836934993a3ab7551a6f2786f24c51045e52cd152a3549b03e04d7a07d0d1cd9ec1f072c2866ffec08cae17cfb857328ac9c4a0b543b6bd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 e04b32b3bd0c2ffdaa70cf4fc3aa5908
SHA1 811d1eee8b34fcfbe7f257dbdc4363d1eaf798c1
SHA256 b0201c45f574d21ff40d3ca4ef9838071716aa47f4b966d52d493417e9a3ca82
SHA512 cdd11fe2324c54956dc0a5e9efb03b5cc4cb9a738ae0d0138b5aa36f2fd41b32f4df0484633f25718e988ef0d8cb8a69427fff8af72d8f9d6578f1f45a66d53b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 04b33b2ce03682b42a75bf7f96c9e8ab
SHA1 561f195079fef2ce5ae93354dfdb6f5da06f7714
SHA256 fc7e253b0d019f3fc6a5a1b4068d32086b39e20a41f1bc108014f25236e9f472
SHA512 8e366fccdf6b7813b3b8d58b00c06b55a4b1964ac5f68cd5b7fdf7da68ce55cf20f3037227d75e6adb332a50c0e70a2587f5813b91591ce05b23a4ab60f2bbc3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ed029ee239009794ed71a1ae4112754a
SHA1 1eb17c1a5930a6e5875299790b639e5dab011ee4
SHA256 bb6ff9d9acfd1f173c9dfa835ba61a0c3b9d2de1e6b3c025e1719ff47d8929e1
SHA512 a62a269000cbfbeaef8ef249516e8e6b55cb468b1c4fa9f18383e6ddf02fd0491021261688bf2ebe429363e84faf7d2c07bea28913510c36037573b7eb1c8030

memory/5220-2102-0x00000226D3270000-0x00000226D339A000-memory.dmp

memory/1776-2397-0x000001E176140000-0x000001E177140000-memory.dmp

memory/6708-2422-0x0000028857E00000-0x0000028858E00000-memory.dmp

memory/4664-2423-0x000001F2F2C80000-0x000001F2F3C80000-memory.dmp

memory/6964-2407-0x000002074CFB0000-0x000002074DFB0000-memory.dmp

memory/6000-2461-0x000002A7E7710000-0x000002A7E783A000-memory.dmp

memory/6076-2468-0x0000011C732A0000-0x0000011C733CA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4

MD5 4e82816a83b96f4b5546ee956cfcb888
SHA1 08f45b96449b134a68aee2dc1d177ada55e352b5
SHA256 2db8814ae8a8ead3a05d289201334bfc235752d46e89d0417c8d99df0629c429
SHA512 45c0ad149255c7ac1fc8cb4b5fd81d92e924a72d29c8d16a8f532ed47d899b1ca01723a7fb398f792d7df17fb71edd04bd8343c927ce7a13364d03a74a848f83

memory/5180-2775-0x00000248D4490000-0x00000248D45BA000-memory.dmp

memory/1504-2802-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1196-2803-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 85cfc13b6779a099d53221876df3b9e0
SHA1 08becf601c986c2e9f979f9143bbbcb7b48540ed
SHA256 bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3
SHA512 b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

memory/6432-2889-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1504-2906-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1196-2907-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5192-2915-0x00007FFD5F210000-0x00007FFD5F211000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f5e083d0-4be9-4c6f-af14-e662354795af.tmp

MD5 5641e7f9f9ce011b9cfb38ed79fac8d2
SHA1 ec992eb38072b8c7ff1fc6828401dcf1a546a28b
SHA256 4b22acd1d88465534b84efdeaa35656e252f889c6f2677747948f6d16e1d8e81
SHA512 2d65333a444545bcb568c365c198d78f9873fccde2f4c614aef6f3ac9d56710685b39bde8b157fa46d6ea2ce5f38ead0897ad97fff02e864a78a29d93091cf2a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a91cab05fa4cfe79558b23ecfaf0071e
SHA1 f4fcf662e6025d8c6078ce6ebd231fe3848068f2
SHA256 2088bb234884b40c012997352079c5f553a427dcce3520b4ce2361adc7472722
SHA512 fc34a0c494ddf8442cb0d1956a28e87bf98179febfa7e895cea306755b4a231fa59ed405acfff2f66c81fe0fa774836d97d55c996a692f293cf3b64bb485a4bc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e0d7774bb6c6a741aa3525197de3282c
SHA1 3ff32ef4f92b64988a03c6b711f72783c46bff06
SHA256 348e9038e90f60c48cd264312cb3b2ea667d12c9743b2d2f1ba880079f07c337
SHA512 11733cb15a26f8a091ddc9db65a0976019c4c953e400a0faef6f80d4792667b2c2fde21df7a8bab3e816111f47f3bb985f7161f3b68804bc73b0da264ee1d6f8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f21f4d3701aae5ba5b8229a45fc32f08
SHA1 4f16b0edb6bd5e3b62d6ba72704c4a6def90713b
SHA256 23932cff248b01c9ad6e99d9e0747a879280efb2ac25f36ff4a439bb111fa75f
SHA512 919d0e326de09aabf7ddcb0cd27c1c158ec8e6d097448148103647b9b66e8ce5a47a3001b6c20c99c3f0ba9c7997c51c6b42b74092cb1c16440a6647489d08a5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 33097fbbd0e02115deca09faf6e3bd9c
SHA1 bdaee6ad725b28ea171353bfdd3e21c010c7ccf9
SHA256 d698c20bd641f2e0d7fe2b154d1846919e67a09236c16aba1bda1180433abba0
SHA512 f6374caaaba799d3da1435a46fc06d2ce982fb6d3ce47575e297bbda8a2b60996cd3736156b85f045a91e81c238b35f302ed524ab800d2b7f6cd6cb589be8f7b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3b263ee5c77d9ee994bad2aa7f25b635
SHA1 077d5240859c00838c749bb234cc0b5d43fbce88
SHA256 d087948ef5677d83c21c588d6ec48d074b9146bcfc96b033cc338d1731c12a11
SHA512 4b1471007a925884d14fee53a433f4e523e58e854e463982f6924d3c7cfd1bef0f260ef842e2fa9d30583ef661937e6e61aa9a96aaeb791521f36a610914b43e