Malware Analysis Report

2025-08-05 21:33

Sample ID 230329-j6fllsha8w
Target vbc.exe
SHA256 f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
Tags
remcos sixthclients persistence rat warzonerat collection infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43

Threat Level: Known bad

The file vbc.exe was found to be: Known bad.

Malicious Activity Summary

remcos sixthclients persistence rat warzonerat collection infostealer spyware stealer

WarzoneRat, AveMaria

Remcos

Modifies WinLogon for persistence

NirSoft WebBrowserPassView

NirSoft MailPassView

Warzone RAT payload

Nirsoft

Loads dropped DLL

Checks computer location settings

Uses the VBS compiler for execution

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

outlook_office_path

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-29 08:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-29 08:16

Reported

2023-03-29 08:20

Platform

win7-20230220-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vbc.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\odsnqyon = "C:\\Users\\Admin\\AppData\\Roaming\\ukyerc\\irsqhssjjf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tqchnnl.exe\" C:\\Users\\Admin\\AppData\\Local\\" C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1972 set thread context of 860 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\vbc.exe

"C:\Users\Admin\AppData\Local\Temp\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe" C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 top.not2beabused01.xyz udp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

MD5 8bba552e868d530af56dadd00d38ce78
SHA1 e8f76dd15c91b3c42d42ce83a06c299d900cedf6
SHA256 dd99bf95cbfb93c236cdfe239dddce5aa54f6355a50a7b2ed7606afd00958b9b
SHA512 ff8fe38ed26720865f57fa69a9dd3806109cb688ea22e38ff44ca05f6a7d95795705ac2ccff1e7eb964696a0a0843b370fe76c96373a580ef66ada63054ce35f

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\wahquzerdw.vl

MD5 b8e0694c7d8f49c6bab7b2f38a068cc7
SHA1 b19f8174f08d3e844b5ae2e74cb6eb7a7e6f7923
SHA256 6a0e2c58b2be31c768cd2dd0236ebef7d8ef9839c6398931f6f9b9a20b62dd4c
SHA512 ead2ee5aeec1a2df1d244b8b5502bc0e84e85c5024602fb9cc4e3b09f687e9af77c2427d6e59661319217306494d50ea77d623b18e586baebeecc7b72a05c14f

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/860-69-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/860-72-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-74-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-76-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-77-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-79-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-81-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-82-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-83-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-84-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-89-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-90-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-93-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-95-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Roaming\Appsync\logs.dat

MD5 fb8e60c78b1b14bc0f9d256734d6d229
SHA1 d0555bf1738d10ac8539dc8308638b5f20d66904
SHA256 41796fabc840d864cd58ab913c80707db2f23b2e5a0315ed8bc21028bcf56d02
SHA512 0808b5c5c4d2da274eac17ac67dc6f6f55f0f9f8cfa522eb1889fd640aa46f701a38b679ff1d14268556420bc86b2e6b9961ea95dfef28c5392c3c50e9f44461

memory/860-98-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-101-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-102-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-106-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-108-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-111-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-112-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-113-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-116-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-119-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-122-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-123-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-126-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-129-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-132-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-133-0x0000000000400000-0x0000000000480000-memory.dmp

memory/860-137-0x0000000000400000-0x0000000000480000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-29 08:16

Reported

2023-03-29 08:20

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vbc.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\uytedew.exe," C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\iurdsfhgj.exe," C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\uytresdfgh.exe," C:\Windows\SysWOW64\reg.exe N/A

Remcos

rat remcos

WarzoneRat, AveMaria

rat infostealer warzonerat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odsnqyon = "C:\\Users\\Admin\\AppData\\Roaming\\ukyerc\\irsqhssjjf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tqchnnl.exe\" C:\\Users\\Admin\\AppData\\Local\\" C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoie = "C:\\Users\\Admin\\AppData\\Roaming\\dnetoln\\qiyvhavtewgo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ghibzkdm.exe\" C:\\Users\\Admin\\AppData\\Lo" C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 616 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 616 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 616 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\vbc.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1800 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1800 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1800 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1800 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1596 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1596 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1596 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1596 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1596 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1596 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1596 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1596 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1596 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1596 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 1596 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 1596 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 2132 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 2132 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 2132 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1596 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 1596 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 1596 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 1596 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 1596 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 1596 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 1092 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1092 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1092 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1092 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1596 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 1596 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 1596 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 2712 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4224 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4224 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4164 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4164 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4164 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2888 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3932 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3932 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2712 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4848 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4848 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2812 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 508 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 508 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\vbc.exe

"C:\Users\Admin\AppData\Local\Temp\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe" C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\czocvqcsnapqahyimxvqdhzqbixgdfbmti"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\nbbnvj"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\pvhfwbxnx"

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

"C:\Users\Admin\AppData\Local\Temp\fmwrz.exe"

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

"C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe" C:\Users\Admin\AppData\Local\Temp\xaaktctbkvc.h

C:\Users\Admin\AppData\Local\Temp\datorg.exe

"C:\Users\Admin\AppData\Local\Temp\datorg.exe"

C:\Users\Admin\AppData\Local\Temp\datxld.exe

"C:\Users\Admin\AppData\Local\Temp\datxld.exe"

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

"C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe"

C:\Users\Admin\AppData\Local\Temp\datrem.exe

"C:\Users\Admin\AppData\Local\Temp\datrem.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 39

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 36

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 39

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datorg.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 39

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 38 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datxld.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe" && ping 127.0.0.1 -n 38 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 38

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe,"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 46 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datrem.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe" && ping 127.0.0.1 -n 46 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 46

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 38

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 39

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 46

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

"C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe"

C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe

"C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 top.not2beabused01.xyz udp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
US 8.8.8.8:53 122.65.117.38.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
CA 38.117.65.122:1668 top.not2beabused01.xyz tcp
US 8.8.8.8:53 microsoft.com udp
US 20.112.52.29:80 microsoft.com tcp
US 8.8.8.8:53 29.52.112.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 20.42.65.90:443 tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
NL 178.79.208.1:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

MD5 8bba552e868d530af56dadd00d38ce78
SHA1 e8f76dd15c91b3c42d42ce83a06c299d900cedf6
SHA256 dd99bf95cbfb93c236cdfe239dddce5aa54f6355a50a7b2ed7606afd00958b9b
SHA512 ff8fe38ed26720865f57fa69a9dd3806109cb688ea22e38ff44ca05f6a7d95795705ac2ccff1e7eb964696a0a0843b370fe76c96373a580ef66ada63054ce35f

memory/1800-140-0x00000000005B0000-0x00000000005B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wahquzerdw.vl

MD5 b8e0694c7d8f49c6bab7b2f38a068cc7
SHA1 b19f8174f08d3e844b5ae2e74cb6eb7a7e6f7923
SHA256 6a0e2c58b2be31c768cd2dd0236ebef7d8ef9839c6398931f6f9b9a20b62dd4c
SHA512 ead2ee5aeec1a2df1d244b8b5502bc0e84e85c5024602fb9cc4e3b09f687e9af77c2427d6e59661319217306494d50ea77d623b18e586baebeecc7b72a05c14f

memory/1596-143-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/1596-145-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-146-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-148-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-150-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-151-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-153-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-154-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-156-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-157-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-158-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-159-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-160-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-161-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-163-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-164-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-166-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-169-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-168-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2644-170-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/2644-177-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4592-178-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1596-180-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2088-179-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2644-174-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4592-173-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4592-183-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2088-187-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2644-190-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2088-193-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4592-189-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2088-188-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

memory/2644-203-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

memory/1596-208-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1596-211-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1596-212-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

C:\Users\Admin\AppData\Local\Temp\czocvqcsnapqahyimxvqdhzqbixgdfbmti

MD5 9d9e72c9c9718c1b11fa079c9e176126
SHA1 84061c88da377e5badb0456d7e7d27b2b589da53
SHA256 c1b68659db646a5da925a4bb927a9803ab7d10ae74516a2547c87097f87ba317
SHA512 1b1aba5888e92f1afd33454ae69de66bc8202a4974b36696a0a6903cc528cb59810f778446ba855ac125b3c77f6be0ebee5d6df49a2838e0c0543a9a29a4e428

memory/1596-214-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\xaaktctbkvc.h

MD5 bab85673afd9040f8fffe381439cf5cc
SHA1 8d13dfa7f0047acb464e3ed534580c60bdabed6b
SHA256 76aee090b77973c9e217601cd168c181c0e4639b2073a0f52db7eb5c32fa77c2
SHA512 df2694645b1ed4d2e9b2ffb901cb0d0af8ac192665c81214bbc8157fab7b6b5fe7203d8f6ebdbe070796ff6185c3535efed97a515f7ed413c0f7f689d1b0f16c

memory/1596-224-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1092-225-0x0000000000860000-0x0000000000862000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

memory/1596-248-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmbugjrwpz.kh

MD5 12c7d6f0b173d7d369ae8bf93dd1c384
SHA1 bcb512d7fe890bb980206788d15c494ca02ede8a
SHA256 ae4add2b61f783f6d4faa3216ff68960302f76230ef0a371edf6778188bf86f3
SHA512 53e8b9337544218ab38f319d34752161ad974db1b370dae10786695554d0541dc21209e48c819b5e9e48f339e0afa843d750e8e5105e5abf18aa84e7bb3c24be

memory/1596-249-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1732-252-0x0000000000400000-0x000000000055C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

memory/1732-255-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2712-266-0x0000000000F40000-0x0000000001060000-memory.dmp

memory/2812-264-0x0000000000FD0000-0x00000000010F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

memory/1596-270-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2712-272-0x0000000005E50000-0x00000000063F4000-memory.dmp

memory/1732-271-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2888-273-0x0000000000750000-0x00000000008E2000-memory.dmp

memory/2812-274-0x0000000004C60000-0x0000000004CF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

memory/2712-275-0x0000000005950000-0x000000000595A000-memory.dmp

memory/2712-276-0x0000000005BA0000-0x0000000005C3C000-memory.dmp

memory/2812-277-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2712-278-0x00000000059B0000-0x00000000059C0000-memory.dmp

memory/2888-279-0x0000000005010000-0x0000000005020000-memory.dmp

memory/1596-280-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-281-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1596-282-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2712-283-0x00000000059B0000-0x00000000059C0000-memory.dmp

memory/2888-286-0x0000000005010000-0x0000000005020000-memory.dmp

memory/2812-284-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/1732-287-0x0000000000400000-0x000000000055C000-memory.dmp

memory/1596-288-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1732-289-0x0000000000400000-0x000000000055C000-memory.dmp

memory/1732-291-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2888-294-0x0000000005010000-0x0000000005020000-memory.dmp

memory/1732-293-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2812-295-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2712-297-0x00000000059B0000-0x00000000059C0000-memory.dmp

memory/2812-296-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2888-298-0x0000000005010000-0x0000000005020000-memory.dmp

C:\Users\Admin\AppData\Roaming\Appsync\logs.dat

MD5 bd91ec5dad01faacaf4ba90c0101dccb
SHA1 ef07b56364766fdb78e1716f2cfb7b95a91ce0af
SHA256 3b5e91fbb60d1cfbb1856c79a12eb208ccc6bb80cdde3fafb825f6e64370d489
SHA512 cc7e2f14927ab09cd50ecbe803f261ab9be5bc0dc8a195c5d57b94ae2563d73e54fcac9980a3b79764cb5fa6bc8fb9ef3e8ba4d94b0e5164b4e0cf674f82e4f0

memory/1596-300-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2712-301-0x00000000059B0000-0x00000000059C0000-memory.dmp

memory/2888-303-0x0000000005010000-0x0000000005020000-memory.dmp

memory/2812-302-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2712-304-0x00000000059B0000-0x00000000059C0000-memory.dmp

memory/2888-307-0x0000000005010000-0x0000000005020000-memory.dmp

memory/2812-308-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/1596-309-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1732-329-0x0000000008300000-0x00000000083A7000-memory.dmp

memory/2712-330-0x00000000059B0000-0x00000000059C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

C:\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5 75f8cc548cabf0cc800c25047e4d3124
SHA1 602676768f9faecd35b48c38a0632781dfbde10c
SHA256 fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512 ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

C:\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5 471c983513694ac3002590345f2be0da
SHA1 6612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256 bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512 a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

C:\Users\Admin\AppData\Local\Temp\nss3.dll

MD5 d7858e8449004e21b01d468e9fd04b82
SHA1 9524352071ede21c167e7e4f106e9526dc23ef4e
SHA256 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA512 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

C:\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5 ef12ab9d0b231b8f898067b2114b1bc0
SHA1 6d90f27b2105945f9bb77039e8b892070a5f9442
SHA256 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA512 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

memory/2368-397-0x0000000000F20000-0x0000000001046000-memory.dmp

memory/2368-399-0x00000000050D0000-0x00000000050E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

memory/716-403-0x00000000005D0000-0x00000000006F0000-memory.dmp

memory/2368-404-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/716-405-0x0000000004F20000-0x0000000004F30000-memory.dmp

memory/716-406-0x0000000004F20000-0x0000000004F30000-memory.dmp

memory/716-411-0x0000000004F20000-0x0000000004F30000-memory.dmp

memory/2368-414-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/716-416-0x0000000004F20000-0x0000000004F30000-memory.dmp

memory/2368-415-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/2368-417-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/716-418-0x0000000004F20000-0x0000000004F30000-memory.dmp

memory/716-421-0x0000000004F20000-0x0000000004F30000-memory.dmp