Malware Analysis Report

2025-08-05 21:34

Sample ID 230329-hxmswsgh2s
Target 4da41093eb4cce80c18d1e6a2391ba80.exe
SHA256 f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
Tags
remcos warzonerat sixthclients collection infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43

Threat Level: Known bad

The file 4da41093eb4cce80c18d1e6a2391ba80.exe was found to be: Known bad.

Malicious Activity Summary

remcos warzonerat sixthclients collection infostealer persistence rat spyware stealer

Modifies WinLogon for persistence

WarzoneRat, AveMaria

Remcos

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Warzone RAT payload

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-29 07:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-29 07:07

Reported

2023-03-29 07:09

Platform

win7-20230220-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\uytresdfgh.exe," C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\uytedew.exe," C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\iurdsfhgj.exe," C:\Windows\SysWOW64\reg.exe N/A

Remcos

rat remcos

WarzoneRat, AveMaria

rat infostealer warzonerat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\odsnqyon = "C:\\Users\\Admin\\AppData\\Roaming\\ukyerc\\irsqhssjjf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tqchnnl.exe\" C:\\Users\\Admin\\AppData\\Local\\" C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoie = "C:\\Users\\Admin\\AppData\\Roaming\\dnetoln\\qiyvhavtewgo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ghibzkdm.exe\" C:\\Users\\Admin\\AppData\\Lo" C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2012 set thread context of 520 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 set thread context of 664 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1168 set thread context of 912 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 520 set thread context of 532 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 set thread context of 1688 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 set thread context of 1224 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 set thread context of 1824 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 set thread context of 1652 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 set thread context of 1168 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 set thread context of 1440 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 set thread context of 2000 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1480 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1480 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1480 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 2012 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 2012 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 2012 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 2012 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 2012 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 520 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 520 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 520 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 1644 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1644 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1644 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1644 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 520 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1168 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1168 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1168 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1168 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1168 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 520 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 520 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 520 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 520 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 520 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 520 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 520 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 520 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 520 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 520 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 520 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 520 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 520 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 520 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1248 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe

"C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe" C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe"

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

"C:\Users\Admin\AppData\Local\Temp\fmwrz.exe"

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

"C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe" C:\Users\Admin\AppData\Local\Temp\xaaktctbkvc.h

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\mdbt"

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

"C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\wxgmhpel"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\zzmwizofboe"

C:\Users\Admin\AppData\Local\Temp\datorg.exe

"C:\Users\Admin\AppData\Local\Temp\datorg.exe"

C:\Users\Admin\AppData\Local\Temp\datxld.exe

"C:\Users\Admin\AppData\Local\Temp\datxld.exe"

C:\Users\Admin\AppData\Local\Temp\datrem.exe

"C:\Users\Admin\AppData\Local\Temp\datrem.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\yxjycxgdyqfqycmbacsfes"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\iroqcqqxmyxdaiifrnfgpfwjbu"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\tutjdibzagpikxwrbyraskrabause"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 39

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 36

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\vmwvxzdrlphmv"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\fgbnyrokzxzrxzdp"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\hiogzjhmnfrwifabwfa"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 37

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datorg.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datxld.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 41

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 41

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 44 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datrem.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe" && ping 127.0.0.1 -n 44 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 44

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe,"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 41

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 41

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 44

Network

Country Destination Domain Proto
US 8.8.8.8:53 top.not2beabused01.xyz udp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
CA 38.117.65.122:1668 top.not2beabused01.xyz tcp
US 8.8.8.8:53 microsoft.com udp
US 20.112.52.29:80 microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

MD5 8bba552e868d530af56dadd00d38ce78
SHA1 e8f76dd15c91b3c42d42ce83a06c299d900cedf6
SHA256 dd99bf95cbfb93c236cdfe239dddce5aa54f6355a50a7b2ed7606afd00958b9b
SHA512 ff8fe38ed26720865f57fa69a9dd3806109cb688ea22e38ff44ca05f6a7d95795705ac2ccff1e7eb964696a0a0843b370fe76c96373a580ef66ada63054ce35f

C:\Users\Admin\AppData\Local\Temp\wahquzerdw.vl

MD5 b8e0694c7d8f49c6bab7b2f38a068cc7
SHA1 b19f8174f08d3e844b5ae2e74cb6eb7a7e6f7923
SHA256 6a0e2c58b2be31c768cd2dd0236ebef7d8ef9839c6398931f6f9b9a20b62dd4c
SHA512 ead2ee5aeec1a2df1d244b8b5502bc0e84e85c5024602fb9cc4e3b09f687e9af77c2427d6e59661319217306494d50ea77d623b18e586baebeecc7b72a05c14f

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/520-69-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/520-73-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-74-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-76-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-77-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-79-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-80-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-82-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-83-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-84-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-85-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-86-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-88-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-89-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-92-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-94-0x0000000000400000-0x0000000000480000-memory.dmp

memory/520-95-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

memory/520-102-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\xaaktctbkvc.h

MD5 bab85673afd9040f8fffe381439cf5cc
SHA1 8d13dfa7f0047acb464e3ed534580c60bdabed6b
SHA256 76aee090b77973c9e217601cd168c181c0e4639b2073a0f52db7eb5c32fa77c2
SHA512 df2694645b1ed4d2e9b2ffb901cb0d0af8ac192665c81214bbc8157fab7b6b5fe7203d8f6ebdbe070796ff6185c3535efed97a515f7ed413c0f7f689d1b0f16c

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\tmbugjrwpz.kh

MD5 12c7d6f0b173d7d369ae8bf93dd1c384
SHA1 bcb512d7fe890bb980206788d15c494ca02ede8a
SHA256 ae4add2b61f783f6d4faa3216ff68960302f76230ef0a371edf6778188bf86f3
SHA512 53e8b9337544218ab38f319d34752161ad974db1b370dae10786695554d0541dc21209e48c819b5e9e48f339e0afa843d750e8e5105e5abf18aa84e7bb3c24be

\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

memory/912-121-0x0000000000400000-0x000000000055C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

memory/664-119-0x0000000000400000-0x0000000000478000-memory.dmp

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/532-130-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/532-135-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1688-134-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/532-136-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/1688-139-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1688-140-0x0000000000400000-0x0000000000424000-memory.dmp

memory/532-141-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1688-142-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1688-143-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1688-144-0x0000000000400000-0x0000000000424000-memory.dmp

memory/912-146-0x0000000000400000-0x000000000055C000-memory.dmp

\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

memory/520-159-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

memory/912-163-0x0000000000400000-0x000000000055C000-memory.dmp

memory/1248-164-0x00000000000F0000-0x0000000000210000-memory.dmp

memory/1956-165-0x00000000010F0000-0x0000000001216000-memory.dmp

\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

memory/520-173-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1424-174-0x0000000000D70000-0x0000000000F02000-memory.dmp

memory/1248-176-0x0000000000530000-0x000000000057A000-memory.dmp

memory/1248-178-0x0000000004E70000-0x0000000004EB0000-memory.dmp

memory/1956-179-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/1424-180-0x0000000004F10000-0x0000000004F50000-memory.dmp

memory/532-181-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1424-183-0x0000000000390000-0x00000000003A8000-memory.dmp

memory/1248-184-0x0000000004E70000-0x0000000004EB0000-memory.dmp

memory/1956-185-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/1424-186-0x0000000004F10000-0x0000000004F50000-memory.dmp

memory/520-189-0x0000000000400000-0x0000000000480000-memory.dmp

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/1224-203-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1956-199-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/1248-204-0x0000000004E70000-0x0000000004EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/1224-212-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1824-214-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1652-217-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1824-215-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1224-207-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/1224-197-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1424-196-0x0000000004F10000-0x0000000004F50000-memory.dmp

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/520-219-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Roaming\Appsync\logs.dat

MD5 8507fd584151d5ed01bd336fe4d030ef
SHA1 d6106e51196a5347cbe7b5d28ab28813dfd02556
SHA256 bc58d041af6c0942c967f2d4c54bc9bb876df60d9dea391337c4f310106db8c3
SHA512 1b48d380cea9945ef03ee875cc0cde3caf3426d9d744f681ec62d913e5da90e398f1656da2eda49968c84bd88928c1c4a37aa12d3c915643fb73b757714be22e

memory/1424-230-0x0000000004F10000-0x0000000004F50000-memory.dmp

memory/1956-229-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/1248-228-0x0000000004E70000-0x0000000004EB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/1168-248-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1440-251-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/2000-255-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1248-256-0x0000000004E70000-0x0000000004EB0000-memory.dmp

memory/1956-257-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/1424-258-0x0000000004F10000-0x0000000004F50000-memory.dmp

memory/1956-260-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/1424-269-0x0000000004F10000-0x0000000004F50000-memory.dmp

memory/1248-270-0x0000000004E70000-0x0000000004EB0000-memory.dmp

memory/1224-278-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1168-277-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vmwvxzdrlphmv

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/520-287-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1248-288-0x0000000004E70000-0x0000000004EB0000-memory.dmp

memory/1956-289-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/1424-298-0x0000000004F10000-0x0000000004F50000-memory.dmp

memory/1248-306-0x0000000004E70000-0x0000000004EB0000-memory.dmp

memory/1956-307-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/1424-311-0x0000000004F10000-0x0000000004F50000-memory.dmp

memory/912-329-0x0000000008630000-0x00000000086D7000-memory.dmp

\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5 75f8cc548cabf0cc800c25047e4d3124
SHA1 602676768f9faecd35b48c38a0632781dfbde10c
SHA256 fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512 ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

\Users\Admin\AppData\Local\Temp\nss3.dll

MD5 d7858e8449004e21b01d468e9fd04b82
SHA1 9524352071ede21c167e7e4f106e9526dc23ef4e
SHA256 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA512 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5 471c983513694ac3002590345f2be0da
SHA1 6612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256 bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512 a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5 ef12ab9d0b231b8f898067b2114b1bc0
SHA1 6d90f27b2105945f9bb77039e8b892070a5f9442
SHA256 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA512 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-29 07:07

Reported

2023-03-29 07:09

Platform

win10v2004-20230220-en

Max time kernel

153s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\uytedew.exe," C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\iurdsfhgj.exe," C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\uytresdfgh.exe," C:\Windows\SysWOW64\reg.exe N/A

Remcos

rat remcos

WarzoneRat, AveMaria

rat infostealer warzonerat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoie = "C:\\Users\\Admin\\AppData\\Roaming\\dnetoln\\qiyvhavtewgo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ghibzkdm.exe\" C:\\Users\\Admin\\AppData\\Lo" C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odsnqyon = "C:\\Users\\Admin\\AppData\\Roaming\\ukyerc\\irsqhssjjf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tqchnnl.exe\" C:\\Users\\Admin\\AppData\\Local\\" C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1288 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1288 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1924 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1924 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1924 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1924 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1892 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1892 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1892 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1892 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1892 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1892 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1892 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1892 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1892 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1892 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 1892 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 1892 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 2176 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 2176 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 2176 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 2144 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 2144 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 2144 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 2144 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1892 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 1892 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 1892 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 1892 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 1892 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 1892 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 1892 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 1892 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 1892 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 4708 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 1176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 1176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 672 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 672 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 672 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4372 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3760 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3760 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4740 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4740 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4760 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4636 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe

"C:\Users\Admin\AppData\Local\Temp\4da41093eb4cce80c18d1e6a2391ba80.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe" C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\tmghhnvqspcishziw"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\eolzifgrgxuvunnmfenfv"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\oirsbyqlufmzftjqwpihyhrd"

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

"C:\Users\Admin\AppData\Local\Temp\fmwrz.exe"

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

"C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe" C:\Users\Admin\AppData\Local\Temp\xaaktctbkvc.h

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

"C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe"

C:\Users\Admin\AppData\Local\Temp\datxld.exe

"C:\Users\Admin\AppData\Local\Temp\datxld.exe"

C:\Users\Admin\AppData\Local\Temp\datorg.exe

"C:\Users\Admin\AppData\Local\Temp\datorg.exe"

C:\Users\Admin\AppData\Local\Temp\datrem.exe

"C:\Users\Admin\AppData\Local\Temp\datrem.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 39

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 36

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 36

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 46 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datorg.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe" && ping 127.0.0.1 -n 46 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 46

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 47 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datxld.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe" && ping 127.0.0.1 -n 47 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 47

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe,"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datrem.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 41

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 46

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 47

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 41

C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe

"C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe"

C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe

"C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe"

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

"C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 117.18.232.240:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 top.not2beabused01.xyz udp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
US 8.8.8.8:53 122.65.117.38.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
US 8.8.8.8:53 geoplugin.net udp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
NL 178.237.33.50:80 geoplugin.net tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
CA 38.117.65.122:1668 top.not2beabused01.xyz tcp
US 8.8.8.8:53 microsoft.com udp
US 20.112.52.29:80 microsoft.com tcp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 29.52.112.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
IE 13.69.239.74:443 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

MD5 8bba552e868d530af56dadd00d38ce78
SHA1 e8f76dd15c91b3c42d42ce83a06c299d900cedf6
SHA256 dd99bf95cbfb93c236cdfe239dddce5aa54f6355a50a7b2ed7606afd00958b9b
SHA512 ff8fe38ed26720865f57fa69a9dd3806109cb688ea22e38ff44ca05f6a7d95795705ac2ccff1e7eb964696a0a0843b370fe76c96373a580ef66ada63054ce35f

C:\Users\Admin\AppData\Local\Temp\wahquzerdw.vl

MD5 b8e0694c7d8f49c6bab7b2f38a068cc7
SHA1 b19f8174f08d3e844b5ae2e74cb6eb7a7e6f7923
SHA256 6a0e2c58b2be31c768cd2dd0236ebef7d8ef9839c6398931f6f9b9a20b62dd4c
SHA512 ead2ee5aeec1a2df1d244b8b5502bc0e84e85c5024602fb9cc4e3b09f687e9af77c2427d6e59661319217306494d50ea77d623b18e586baebeecc7b72a05c14f

memory/1892-142-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-144-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/1892-146-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-147-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-149-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-150-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-152-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-153-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-155-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-156-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-157-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-158-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-159-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-161-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-162-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-167-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-168-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

memory/2112-177-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/2996-180-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/2112-181-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2112-184-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2996-186-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/2996-189-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2060-195-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2060-197-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2996-196-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

memory/2060-185-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1892-200-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2060-199-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

memory/2112-209-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xaaktctbkvc.h

MD5 bab85673afd9040f8fffe381439cf5cc
SHA1 8d13dfa7f0047acb464e3ed534580c60bdabed6b
SHA256 76aee090b77973c9e217601cd168c181c0e4639b2073a0f52db7eb5c32fa77c2
SHA512 df2694645b1ed4d2e9b2ffb901cb0d0af8ac192665c81214bbc8157fab7b6b5fe7203d8f6ebdbe070796ff6185c3535efed97a515f7ed413c0f7f689d1b0f16c

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

memory/2112-212-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1892-215-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmbugjrwpz.kh

MD5 12c7d6f0b173d7d369ae8bf93dd1c384
SHA1 bcb512d7fe890bb980206788d15c494ca02ede8a
SHA256 ae4add2b61f783f6d4faa3216ff68960302f76230ef0a371edf6778188bf86f3
SHA512 53e8b9337544218ab38f319d34752161ad974db1b370dae10786695554d0541dc21209e48c819b5e9e48f339e0afa843d750e8e5105e5abf18aa84e7bb3c24be

C:\Users\Admin\AppData\Local\Temp\tmghhnvqspcishziw

MD5 b1a407ed9778faba2aa43f92e4e85dca
SHA1 cb9c6835291dde8bf4227b3adafdc8e0ef07a4bb
SHA256 1d16f0d3fe199ac744b1305b95e04ed2fd8711ada610cfbe373a14ea301277f5
SHA512 7d9ca374f1d3464a9ba12c8a7708593e43eee2a7f2b7ac7cecf6fe36845d6407bc2938dddab63ee912a16dd70488ffeae6c4408e7c1e57457441c4a3243103ac

memory/1892-220-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4488-221-0x0000000000400000-0x000000000055C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

memory/4488-249-0x0000000000400000-0x000000000055C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

memory/1892-250-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

memory/1892-253-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4488-254-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4708-255-0x0000000000320000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

memory/4708-256-0x00000000056F0000-0x0000000005C94000-memory.dmp

memory/4708-257-0x0000000005140000-0x00000000051D2000-memory.dmp

memory/1892-233-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

memory/4708-266-0x00000000050D0000-0x00000000050DA000-memory.dmp

memory/4760-268-0x0000000000FF0000-0x0000000001116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

memory/1892-273-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4372-272-0x00000000001A0000-0x0000000000332000-memory.dmp

memory/4708-274-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4760-275-0x0000000005750000-0x0000000005760000-memory.dmp

memory/4708-267-0x00000000053B0000-0x000000000544C000-memory.dmp

memory/4372-276-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/4708-277-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4760-278-0x0000000005750000-0x0000000005760000-memory.dmp

memory/4372-279-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/4708-280-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4488-281-0x0000000000400000-0x000000000055C000-memory.dmp

memory/1892-283-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4488-284-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4760-285-0x0000000005750000-0x0000000005760000-memory.dmp

memory/4372-286-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/4488-288-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4760-289-0x0000000005750000-0x0000000005760000-memory.dmp

memory/4488-290-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4708-292-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4760-293-0x0000000005750000-0x0000000005760000-memory.dmp

memory/4372-294-0x00000000024F0000-0x0000000002500000-memory.dmp

C:\Users\Admin\AppData\Roaming\Appsync\logs.dat

MD5 1cc9154bf1a71ae75ff3f6435eedb3bb
SHA1 29fba54951e0034db5de20d73774cd95b1ae3256
SHA256 36456c5170dea57616ec84858ca8ac57603ffd2b20414de7bdb5d6843ad6bbf9
SHA512 211e1e650189a307be7f25e0b3cfe2b43644b8bd2b48be157fabfc40b9334563912ffd19d2fb6850a7cfc8b6a489d253a7f7a7138f372f28ce4318808f00e997

memory/1892-296-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4708-297-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4760-298-0x0000000005750000-0x0000000005760000-memory.dmp

memory/4372-299-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/4708-300-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4760-301-0x0000000005750000-0x0000000005760000-memory.dmp

memory/4372-302-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/4760-305-0x0000000005750000-0x0000000005760000-memory.dmp

memory/4372-306-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/1892-307-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-308-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1892-310-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4708-316-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4488-324-0x0000000008480000-0x0000000008527000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

C:\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5 75f8cc548cabf0cc800c25047e4d3124
SHA1 602676768f9faecd35b48c38a0632781dfbde10c
SHA256 fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512 ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

C:\Users\Admin\AppData\Local\Temp\nss3.dll

MD5 d7858e8449004e21b01d468e9fd04b82
SHA1 9524352071ede21c167e7e4f106e9526dc23ef4e
SHA256 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA512 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

C:\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5 471c983513694ac3002590345f2be0da
SHA1 6612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256 bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512 a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

C:\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5 ef12ab9d0b231b8f898067b2114b1bc0
SHA1 6d90f27b2105945f9bb77039e8b892070a5f9442
SHA256 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA512 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

memory/4488-355-0x0000000008480000-0x0000000008527000-memory.dmp

C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

memory/4404-401-0x0000000000220000-0x00000000003B2000-memory.dmp

memory/4404-404-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/4404-405-0x0000000004C00000-0x0000000004C10000-memory.dmp

C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

memory/952-409-0x0000000000260000-0x0000000000380000-memory.dmp

memory/952-410-0x0000000005930000-0x0000000005940000-memory.dmp

memory/952-411-0x0000000005930000-0x0000000005940000-memory.dmp

memory/952-412-0x0000000005930000-0x0000000005940000-memory.dmp

memory/4404-413-0x0000000004C00000-0x0000000004C10000-memory.dmp

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

memory/4728-418-0x0000000000BF0000-0x0000000000D16000-memory.dmp

memory/4728-420-0x0000000005340000-0x0000000005350000-memory.dmp

memory/4728-421-0x0000000005340000-0x0000000005350000-memory.dmp

memory/4728-422-0x0000000005340000-0x0000000005350000-memory.dmp

memory/4404-425-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/4404-426-0x0000000004C00000-0x0000000004C10000-memory.dmp