Malware Analysis Report

2025-08-05 21:34

Sample ID 230329-g8kx1agf9w
Target f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
SHA256 f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
Tags
remcos warzonerat sixthclients collection infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43

Threat Level: Known bad

The file f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43 was found to be: Known bad.

Malicious Activity Summary

remcos warzonerat sixthclients collection infostealer persistence rat spyware stealer

Remcos

Modifies WinLogon for persistence

WarzoneRat, AveMaria

NirSoft WebBrowserPassView

NirSoft MailPassView

Nirsoft

Warzone RAT payload

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook accounts

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-29 06:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-29 06:28

Reported

2023-03-29 06:31

Platform

win10-20230220-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\uytedew.exe," C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\iurdsfhgj.exe," C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\uytresdfgh.exe," C:\Windows\SysWOW64\reg.exe N/A

Remcos

rat remcos

WarzoneRat, AveMaria

rat infostealer warzonerat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\odsnqyon = "C:\\Users\\Admin\\AppData\\Roaming\\ukyerc\\irsqhssjjf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tqchnnl.exe\" C:\\Users\\Admin\\AppData\\Local桜" C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoie = "C:\\Users\\Admin\\AppData\\Roaming\\dnetoln\\qiyvhavtewgo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ghibzkdm.exe\" C:\\Users\\Admin\\AppData\\L㡯" C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 2164 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 2164 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 3664 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 3664 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 3664 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 3664 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 4144 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 4144 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 4144 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 4692 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 4692 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 4692 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1084 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1084 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1084 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1084 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 4144 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 4144 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 4144 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 4144 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 4144 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 4144 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 4144 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 4144 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 4144 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 4144 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 4144 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 4144 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 4144 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 4144 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 4144 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 4144 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 4144 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 4144 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 4792 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4908 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4908 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 500 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 500 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 500 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4912 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1348 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1348 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3612 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 204 wrote to memory of 3268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 204 wrote to memory of 3268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 204 wrote to memory of 3268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 500 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 500 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 500 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43.exe

"C:\Users\Admin\AppData\Local\Temp\f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe" C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe"

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

"C:\Users\Admin\AppData\Local\Temp\fmwrz.exe"

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

"C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe" C:\Users\Admin\AppData\Local\Temp\xaaktctbkvc.h

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

"C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe"

C:\Users\Admin\AppData\Local\Temp\datorg.exe

"C:\Users\Admin\AppData\Local\Temp\datorg.exe"

C:\Users\Admin\AppData\Local\Temp\datxld.exe

"C:\Users\Admin\AppData\Local\Temp\datxld.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\azdkrqzqgzjjnwpyxavhdleqfgevs"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\mvww"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\ktjdsjsruhbnqklcolpioqzhgmowtdmy"

C:\Users\Admin\AppData\Local\Temp\datrem.exe

"C:\Users\Admin\AppData\Local\Temp\datrem.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 38

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1712

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 39

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 44 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datxld.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe" && ping 127.0.0.1 -n 44 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 44

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe,"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 49 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datrem.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe" && ping 127.0.0.1 -n 49 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 49

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 44

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 49

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

"C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 top.not2beabused01.xyz udp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 122.65.117.38.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
CA 38.117.65.122:1668 top.not2beabused01.xyz tcp
US 8.8.8.8:53 microsoft.com udp
US 20.112.52.29:80 microsoft.com tcp
US 8.8.8.8:53 29.52.112.20.in-addr.arpa udp
US 8.8.8.8:53 52.4.107.13.in-addr.arpa udp
NL 13.69.109.130:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

MD5 8bba552e868d530af56dadd00d38ce78
SHA1 e8f76dd15c91b3c42d42ce83a06c299d900cedf6
SHA256 dd99bf95cbfb93c236cdfe239dddce5aa54f6355a50a7b2ed7606afd00958b9b
SHA512 ff8fe38ed26720865f57fa69a9dd3806109cb688ea22e38ff44ca05f6a7d95795705ac2ccff1e7eb964696a0a0843b370fe76c96373a580ef66ada63054ce35f

C:\Users\Admin\AppData\Local\Temp\wahquzerdw.vl

MD5 b8e0694c7d8f49c6bab7b2f38a068cc7
SHA1 b19f8174f08d3e844b5ae2e74cb6eb7a7e6f7923
SHA256 6a0e2c58b2be31c768cd2dd0236ebef7d8ef9839c6398931f6f9b9a20b62dd4c
SHA512 ead2ee5aeec1a2df1d244b8b5502bc0e84e85c5024602fb9cc4e3b09f687e9af77c2427d6e59661319217306494d50ea77d623b18e586baebeecc7b72a05c14f

memory/4144-129-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/4144-131-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-133-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-134-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-136-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-137-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-139-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-141-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-142-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-143-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-144-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-145-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-146-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-148-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-149-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-154-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-156-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4144-157-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

memory/4144-162-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\xaaktctbkvc.h

MD5 bab85673afd9040f8fffe381439cf5cc
SHA1 8d13dfa7f0047acb464e3ed534580c60bdabed6b
SHA256 76aee090b77973c9e217601cd168c181c0e4639b2073a0f52db7eb5c32fa77c2
SHA512 df2694645b1ed4d2e9b2ffb901cb0d0af8ac192665c81214bbc8157fab7b6b5fe7203d8f6ebdbe070796ff6185c3535efed97a515f7ed413c0f7f689d1b0f16c

C:\Users\Admin\AppData\Local\Temp\tmbugjrwpz.kh

MD5 12c7d6f0b173d7d369ae8bf93dd1c384
SHA1 bcb512d7fe890bb980206788d15c494ca02ede8a
SHA256 ae4add2b61f783f6d4faa3216ff68960302f76230ef0a371edf6778188bf86f3
SHA512 53e8b9337544218ab38f319d34752161ad974db1b370dae10786695554d0541dc21209e48c819b5e9e48f339e0afa843d750e8e5105e5abf18aa84e7bb3c24be

memory/2904-173-0x0000000000400000-0x000000000055C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

memory/2904-176-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2904-178-0x0000000000400000-0x000000000055C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

memory/4144-187-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

memory/4144-192-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4792-194-0x0000000000A10000-0x0000000000B30000-memory.dmp

memory/3612-193-0x0000000000330000-0x0000000000456000-memory.dmp

memory/3612-195-0x0000000005070000-0x000000000556E000-memory.dmp

memory/4792-196-0x0000000004B70000-0x0000000004C02000-memory.dmp

memory/2560-197-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3808-198-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/3676-201-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/2560-207-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2560-204-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/3676-209-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3676-211-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4792-218-0x0000000000860000-0x000000000086A000-memory.dmp

memory/3808-217-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3676-212-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3808-210-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3808-208-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2560-220-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4792-221-0x0000000004D50000-0x0000000004DEC000-memory.dmp

memory/4792-222-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3612-223-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/2560-227-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

memory/3612-232-0x0000000005020000-0x000000000506A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

memory/4144-234-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4912-236-0x00000000002D0000-0x0000000000462000-memory.dmp

memory/4144-235-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\azdkrqzqgzjjnwpyxavhdleqfgevs

MD5 664f51cd23313e65364c09e0ad34f3ac
SHA1 fb0fc120915a16342a58881c53abb2c3371afba8
SHA256 87cb1411f33b74a56a2b09ff36752ea3f0284743fdd3dccdceea57124d2effda
SHA512 a860878a554ad67add279662e472c159f1cc675693afa7747f6c3004db0eebea9fbbf462a2319e5253d2ecee7189190d1530b17573959fed91a187d2106b3690

memory/2904-239-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4144-240-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4144-241-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4912-243-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/4144-244-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3612-245-0x0000000007C60000-0x0000000007C78000-memory.dmp

memory/4792-246-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3612-247-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/4912-248-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/2904-249-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2904-252-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4144-253-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2904-254-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4792-255-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3612-256-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/4912-258-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/4792-260-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3612-261-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/4912-262-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/4144-267-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4792-268-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/4912-270-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/3612-269-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/3612-272-0x0000000004D20000-0x0000000004D30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Appsync\logs.dat

MD5 b68c933ed9102611e5afbbd8e5295762
SHA1 3589b7c0e6abe17ccc3c7ee3227b134adc42e749
SHA256 1bd41f010f0ecc22ec019771f02dc271dc342b0fc94d6d5e93ceaa6adc624022
SHA512 c43a7f1a557a87c71719e70a5adca0356dd83a34f751b4116d4e24d1b2f0c8dec0303751d363254201104f3c253bd1c9f4b9eb7cafe768788d9f1d88837b325a

memory/4792-274-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3612-275-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/4912-276-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/4144-278-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4912-279-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/4144-280-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3612-283-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/4912-287-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/2904-294-0x00000000088E0000-0x0000000008987000-memory.dmp

\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5 75f8cc548cabf0cc800c25047e4d3124
SHA1 602676768f9faecd35b48c38a0632781dfbde10c
SHA256 fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512 ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

\Users\Admin\AppData\Local\Temp\nss3.dll

MD5 d7858e8449004e21b01d468e9fd04b82
SHA1 9524352071ede21c167e7e4f106e9526dc23ef4e
SHA256 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA512 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5 471c983513694ac3002590345f2be0da
SHA1 6612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256 bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512 a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5 ef12ab9d0b231b8f898067b2114b1bc0
SHA1 6d90f27b2105945f9bb77039e8b892070a5f9442
SHA256 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA512 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

memory/1324-364-0x00000000000D0000-0x00000000001F6000-memory.dmp

memory/1324-365-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/1324-367-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/1324-369-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/1324-372-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/1324-373-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/1324-375-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/1324-377-0x0000000004B10000-0x0000000004B20000-memory.dmp