redline | 2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-09-2022 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe
Size

175KB
MD5

f0fc06ff15183775f7cca320c8eb7a2c
SHA1

529d1fbe6e83bde126446fb33e192adde928151d
SHA256

2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5
SHA512

c24c501972358d311e090d88d94c44cabe16233768439887e8e52dab88222c31e836a92ab1e0324b6f73a61c963404891469001808681ee592bde9e63d97517a
SSDEEP

3072:7MV1U6vNBzz5OYIO86cfCzLsbfa3spaLIBHj6h9N5x:iQd6cfCzYbdpuO8

Score

10^/10

redline logsdiller cloud (tg: @mr_golds)evasion infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @mr_golds)

77.73.134.27:7161

Attributes

auth_value
4b2de03af6b6ac513ac597c2e6c1ad51

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/100552-176-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/100552-181-0x000000000042217E-mapping.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup1.exesetup1.exesetup1.exesetup1.exesetup1.exeMoUSO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

Processes:

FADF.exe725.exeAEF.exe2780.exe2F42.exesetup.exesetup.exesetup1.exesetup.exesetup1.exesetup.exesetup1.exesetup.exesetup1.exesetup.exesetup1.exesetup.exeMoUSO.exe

pid	process
5016	FADF.exe
100588	725.exe
100692	AEF.exe
101184	2780.exe
101212	2F42.exe
6808	setup.exe
1632	setup.exe
7304	setup1.exe
7780	setup.exe
8036	setup1.exe
8640	setup.exe
8756	setup1.exe
9336	setup.exe
9452	setup1.exe
10036	setup.exe
10184	setup1.exe
10776	setup.exe
10896	MoUSO.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2780.exe	upx
C:\Users\Admin\AppData\Local\Temp\2780.exe	upx
behavioral1/memory/101184-303-0x0000000000D40000-0x0000000001FE8000-memory.dmp	upx
behavioral1/memory/101184-805-0x0000000000D40000-0x0000000001FE8000-memory.dmp	upx
behavioral1/memory/101184-1175-0x0000000000D40000-0x0000000001FE8000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup1.exesetup1.exesetup1.exesetup1.exeMoUSO.exesetup1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe

Deletes itself 1 IoCs

Processes:

pid process

2328

pid	process
2328

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup1.exesetup1.exeMoUSO.exesetup1.exesetup1.exesetup1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine	setup1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine	setup1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine	MoUSO.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine	setup1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine	setup1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine	setup1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

setup1.exesetup1.exesetup1.exesetup1.exesetup1.exeMoUSO.exe

pid process

7304 setup1.exe
8036 setup1.exe
8756 setup1.exe
9452 setup1.exe
10184 setup1.exe
10896 MoUSO.exe

pid	process
7304	setup1.exe
8036	setup1.exe
8756	setup1.exe
9452	setup1.exe
10184	setup1.exe
10896	MoUSO.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

FADF.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exe

description	pid	process	target process
PID 5016 set thread context of 100552	5016	FADF.exe	AppLaunch.exe
PID 6808 set thread context of 7040	6808	setup.exe	RegSvcs.exe
PID 1632 set thread context of 7220	1632	setup.exe	RegSvcs.exe
PID 7780 set thread context of 7832	7780	setup.exe	RegSvcs.exe
PID 8640 set thread context of 8692	8640	setup.exe	RegSvcs.exe
PID 9336 set thread context of 9388	9336	setup.exe	RegSvcs.exe
PID 10036 set thread context of 10088	10036	setup.exe	RegSvcs.exe
PID 10776 set thread context of 10828	10776	setup.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

7880 schtasks.exe
8512 schtasks.exe
9212 schtasks.exe
9908 schtasks.exe
10648 schtasks.exe

pid	process
7880	schtasks.exe
8512	schtasks.exe
9212	schtasks.exe
9908	schtasks.exe
10648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe

pid	process
2704	2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe
2704	2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2328

pid	process
2328

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe

pid	process
2704	2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328
2328

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

2F42.exeAppLaunch.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeDebugPrivilege	101212	2F42.exe
Token: SeDebugPrivilege	100552	AppLaunch.exe
Token: SeDebugPrivilege	6736	powershell.exe
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328
Token: SeShutdownPrivilege	2328
Token: SeCreatePagefilePrivilege	2328

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FADF.exe2780.exeAppLaunch.exesetup.exe

description	pid	process	target process
PID 2328 wrote to memory of 5016	2328		FADF.exe
PID 2328 wrote to memory of 5016	2328		FADF.exe
PID 2328 wrote to memory of 5016	2328		FADF.exe
PID 5016 wrote to memory of 100552	5016	FADF.exe	AppLaunch.exe
PID 5016 wrote to memory of 100552	5016	FADF.exe	AppLaunch.exe
PID 5016 wrote to memory of 100552	5016	FADF.exe	AppLaunch.exe
PID 5016 wrote to memory of 100552	5016	FADF.exe	AppLaunch.exe
PID 5016 wrote to memory of 100552	5016	FADF.exe	AppLaunch.exe
PID 2328 wrote to memory of 100588	2328		725.exe
PID 2328 wrote to memory of 100588	2328		725.exe
PID 2328 wrote to memory of 100588	2328		725.exe
PID 2328 wrote to memory of 100692	2328		AEF.exe
PID 2328 wrote to memory of 100692	2328		AEF.exe
PID 2328 wrote to memory of 100692	2328		AEF.exe
PID 2328 wrote to memory of 101184	2328		2780.exe
PID 2328 wrote to memory of 101184	2328		2780.exe
PID 2328 wrote to memory of 101212	2328		2F42.exe
PID 2328 wrote to memory of 101212	2328		2F42.exe
PID 2328 wrote to memory of 101212	2328		2F42.exe
PID 2328 wrote to memory of 1300	2328		explorer.exe
PID 2328 wrote to memory of 1300	2328		explorer.exe
PID 2328 wrote to memory of 1300	2328		explorer.exe
PID 2328 wrote to memory of 1300	2328		explorer.exe
PID 2328 wrote to memory of 3352	2328		explorer.exe
PID 2328 wrote to memory of 3352	2328		explorer.exe
PID 2328 wrote to memory of 3352	2328		explorer.exe
PID 2328 wrote to memory of 2856	2328		explorer.exe
PID 2328 wrote to memory of 2856	2328		explorer.exe
PID 2328 wrote to memory of 2856	2328		explorer.exe
PID 2328 wrote to memory of 2856	2328		explorer.exe
PID 2328 wrote to memory of 4916	2328		explorer.exe
PID 2328 wrote to memory of 4916	2328		explorer.exe
PID 2328 wrote to memory of 4916	2328		explorer.exe
PID 2328 wrote to memory of 1264	2328		explorer.exe
PID 2328 wrote to memory of 1264	2328		explorer.exe
PID 2328 wrote to memory of 1264	2328		explorer.exe
PID 2328 wrote to memory of 1264	2328		explorer.exe
PID 2328 wrote to memory of 2192	2328		explorer.exe
PID 2328 wrote to memory of 2192	2328		explorer.exe
PID 2328 wrote to memory of 2192	2328		explorer.exe
PID 2328 wrote to memory of 2192	2328		explorer.exe
PID 2328 wrote to memory of 2592	2328		explorer.exe
PID 2328 wrote to memory of 2592	2328		explorer.exe
PID 2328 wrote to memory of 2592	2328		explorer.exe
PID 2328 wrote to memory of 2592	2328		explorer.exe
PID 2328 wrote to memory of 2704	2328		explorer.exe
PID 2328 wrote to memory of 2704	2328		explorer.exe
PID 2328 wrote to memory of 2704	2328		explorer.exe
PID 2328 wrote to memory of 5244	2328		explorer.exe
PID 2328 wrote to memory of 5244	2328		explorer.exe
PID 2328 wrote to memory of 5244	2328		explorer.exe
PID 2328 wrote to memory of 5244	2328		explorer.exe
PID 101184 wrote to memory of 6736	101184	2780.exe	powershell.exe
PID 101184 wrote to memory of 6736	101184	2780.exe	powershell.exe
PID 100552 wrote to memory of 6808	100552	AppLaunch.exe	setup.exe
PID 100552 wrote to memory of 6808	100552	AppLaunch.exe	setup.exe
PID 6808 wrote to memory of 7040	6808	setup.exe	RegSvcs.exe
PID 6808 wrote to memory of 7040	6808	setup.exe	RegSvcs.exe
PID 6808 wrote to memory of 7040	6808	setup.exe	RegSvcs.exe
PID 6808 wrote to memory of 7040	6808	setup.exe	RegSvcs.exe
PID 6808 wrote to memory of 7040	6808	setup.exe	RegSvcs.exe
PID 6808 wrote to memory of 7040	6808	setup.exe	RegSvcs.exe
PID 6808 wrote to memory of 7040	6808	setup.exe	RegSvcs.exe
PID 6808 wrote to memory of 7040	6808	setup.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe
"C:\Users\Admin\AppData\Local\Temp\2799f011a46101e166a985dc8e134d658149e2ced40a1e53f276b82d1a72f9a5.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2704

C:\Users\Admin\AppData\Local\Temp\FADF.exe
C:\Users\Admin\AppData\Local\Temp\FADF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100552

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:6808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
4⤵
PID:7040

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
6⤵
PID:7220

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
8⤵
PID:7832

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:8640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
10⤵
PID:8692

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:9336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
12⤵
PID:9388

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:10036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
14⤵
PID:10088

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:10776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
16⤵
PID:10828

C:\Users\Admin\AppData\Local\Temp\setup1.exe
"C:\Users\Admin\AppData\Local\Temp\setup1.exe"
13⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:10184

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
14⤵
- Creates scheduled task(s)
PID:10648

C:\Users\Admin\AppData\Local\Temp\setup1.exe
"C:\Users\Admin\AppData\Local\Temp\setup1.exe"
11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:9452

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
12⤵
- Creates scheduled task(s)
PID:9908

C:\Users\Admin\AppData\Local\Temp\setup1.exe
"C:\Users\Admin\AppData\Local\Temp\setup1.exe"
9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
10⤵
- Creates scheduled task(s)
PID:9212

C:\Users\Admin\AppData\Local\Temp\setup1.exe
"C:\Users\Admin\AppData\Local\Temp\setup1.exe"
7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
8⤵
- Creates scheduled task(s)
PID:8512

C:\Users\Admin\AppData\Local\Temp\setup1.exe
"C:\Users\Admin\AppData\Local\Temp\setup1.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
6⤵
- Creates scheduled task(s)
PID:7880

C:\Users\Admin\AppData\Local\Temp\725.exe
C:\Users\Admin\AppData\Local\Temp\725.exe
1⤵
- Executes dropped EXE
PID:100588

C:\Users\Admin\AppData\Local\Temp\AEF.exe
C:\Users\Admin\AppData\Local\Temp\AEF.exe
1⤵
- Executes dropped EXE
PID:100692

C:\Users\Admin\AppData\Local\Temp\2780.exe
C:\Users\Admin\AppData\Local\Temp\2780.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:101184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6736

C:\Users\Admin\AppData\Local\Temp\2F42.exe
C:\Users\Admin\AppData\Local\Temp\2F42.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:101212

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1300

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3352

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2856

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4916

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1264

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2192

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2592

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5244

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:10896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2BC2D09D2C3B9097A22A2E8DDF9B7F10
Filesize
503B

MD5
74a55f87dbdf64ee25df9759b010c372

SHA1
263ae5ef20bbc3812ba5051c1f5c9972363655d7

SHA256
f92f87cbe32070212650ef4505aceecb1eafbe735fd819bdbee73f99a40a1971

SHA512
ca33f2d799e09d53992929e93399c2ca191452346489d57f24d1ab54d004bf840504a94f2e6bf4b7cde4e5f9cefe64e1a1fb50ae5d46231135bf54b911ea49f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
a0a7011c3b2a4ef793e6bfc0dc5630e7

SHA1
f79074dbfa29a927dd73f97e0079b30561bf8c13

SHA256
c0f826225be1c05145fcf5092cfccd993ee41d5e259909bb844bac52c2fbb7dd

SHA512
4abc165ab0229632b83472c7088ddea38a376c0710fa54b32aed9b033d629a787e1ab7c0ce9016507698c147b954cbad2858130eec7eef28e763ce641ba98ea2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_B0B75E4FA8953592512F0FA436A73A4E
Filesize
279B

MD5
ae7fcf0b7eba80a97b18f2e3d85dc542

SHA1
6fb9536be9bd67bd1f9e708ce3fc027d031aca40

SHA256
cd2541e642abe192c65de4caf81d2e782300341c55528decd2ba1fa2d9a369db

SHA512
cc7bb0a1570e387f44687ed53f65a7bee00b920c3d9a632961ae6781bea6da97fbc3002723c5df3f0315c2f3be56e0e83811ff4166df1cb793c01d9720f54f42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
7fabbba1f6153f4c620a690b8a79174f

SHA1
1458f7f98a07ae589dce01100c1d17ac25b43500

SHA256
ab8d3ca3eb8b1c85054e641390b619314aa280d4108a0f0bc18f7fd7d8c3a653

SHA512
65e9b41b3971e027715b8bce68ce88074d423f66fd248c09edb1fefd7e2c486aff5d9302cb3f638bb7e0cd4b0ed3311e9d29aae0918823261bd143ab62dad01e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2BC2D09D2C3B9097A22A2E8DDF9B7F10
Filesize
548B

MD5
e531f18d95b50754b899180ed0df90f7

SHA1
7e9fbcfa8bcfefcf4705f1bf5dec5f113f5044a9

SHA256
adbd5ef465cc84df354710d5bad6263be84e8e196b4d32ea4989bccbddf9d3b8

SHA512
65dfbcb6a068f5bdb5480d2d32109e23d1ebd668b6f3727237996484807122fd34382d5dad5c55e6af75d5549d13960df79187fe594974261808f85048cf277a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
408B

MD5
324e4976af3d3de21407f7d9bce0241e

SHA1
8c74ba6c15be117fc1de643abfaebc91ba4046f2

SHA256
d4df911f31ee2f7ac7a6746124cc03c2caf12be2b31cc44c2bbb48545c934888

SHA512
e088b0b8b71a76a37c7c9217d70ce8f23fb3cc07ec03540e2e1aa70a5b9319657eae45e26503e4632c525959e6212a0e6f675a809feb23ef033de7051511f461

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_B0B75E4FA8953592512F0FA436A73A4E
Filesize
396B

MD5
d361511697f398ad72f8fc895099d19a

SHA1
91e05b171914e9bd12f90de0e9414336ef2a6716

SHA256
3925fd6abca8cc1edf50c5e3e6f1588959f0cbae1d8702d69ee1e13a81763ec2

SHA512
7b046321df35ba254aa2dab6b1a05e2d670d1871ae7a514016461da0f3f6421d5802de98462728047f84eb39c131017ed290caaab12aa549dd14c2f3ba947b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GC1WEZG\configure[1].php
Filesize
1B

MD5
26b17225b626fb9238849fd60eabdf60

SHA1
a979ef10cc6f6a36df6b8a323307ee3bb2e2db9c

SHA256
a318c24216defe206feeb73ef5be00033fa9c4a74d0b967f6532a26ca5906d3b

SHA512
603e4eaa411769b6d83a13bf2fde63289322343f8c683ff61d832201e1cf4d3e432a1d9819e327fe14da61ab65ee70dee39d4a3f88a71530bde2cae73d36710b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GC1WEZG\configure[1].php
Filesize
5B

MD5
fda44910deb1a460be4ac5d56d61d837

SHA1
f6d0c643351580307b2eaa6a7560e76965496bc7

SHA256
933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9

SHA512
57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GC1WEZG\configure[1].php
Filesize
1B

MD5
26b17225b626fb9238849fd60eabdf60

SHA1
a979ef10cc6f6a36df6b8a323307ee3bb2e2db9c

SHA256
a318c24216defe206feeb73ef5be00033fa9c4a74d0b967f6532a26ca5906d3b

SHA512
603e4eaa411769b6d83a13bf2fde63289322343f8c683ff61d832201e1cf4d3e432a1d9819e327fe14da61ab65ee70dee39d4a3f88a71530bde2cae73d36710b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5KFN9HPU\configure[1].php
Filesize
5B

MD5
fda44910deb1a460be4ac5d56d61d837

SHA1
f6d0c643351580307b2eaa6a7560e76965496bc7

SHA256
933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9

SHA512
57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5KFN9HPU\configure[1].php
Filesize
1B

MD5
26b17225b626fb9238849fd60eabdf60

SHA1
a979ef10cc6f6a36df6b8a323307ee3bb2e2db9c

SHA256
a318c24216defe206feeb73ef5be00033fa9c4a74d0b967f6532a26ca5906d3b

SHA512
603e4eaa411769b6d83a13bf2fde63289322343f8c683ff61d832201e1cf4d3e432a1d9819e327fe14da61ab65ee70dee39d4a3f88a71530bde2cae73d36710b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5KFN9HPU\configure[1].php
Filesize
5B

MD5
fda44910deb1a460be4ac5d56d61d837

SHA1
f6d0c643351580307b2eaa6a7560e76965496bc7

SHA256
933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9

SHA512
57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YWVOBXSF\configure[1].php
Filesize
5B

MD5
fda44910deb1a460be4ac5d56d61d837

SHA1
f6d0c643351580307b2eaa6a7560e76965496bc7

SHA256
933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9

SHA512
57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YWVOBXSF\configure[1].php
Filesize
1B

MD5
26b17225b626fb9238849fd60eabdf60

SHA1
a979ef10cc6f6a36df6b8a323307ee3bb2e2db9c

SHA256
a318c24216defe206feeb73ef5be00033fa9c4a74d0b967f6532a26ca5906d3b

SHA512
603e4eaa411769b6d83a13bf2fde63289322343f8c683ff61d832201e1cf4d3e432a1d9819e327fe14da61ab65ee70dee39d4a3f88a71530bde2cae73d36710b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2780.exe
Filesize
5.1MB

MD5
45d640b4d71a4417dc0e1281a1e4b3ba

SHA1
1f83180cd8f86acf65689d554c0f03c171834a67

SHA256
78caaf3d7860d0fb05f04100968deea28e0ede31aa48456987f657bb20af908b

SHA512
3b31796ff8a6a444657fa19e965cbc455cd707f7ebded1dea1ecab51a1b24472c263da832d8de40904729572e4d18cb7abe5355eb43c4d5115a6c73473e617c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2780.exe
Filesize
5.1MB

MD5
45d640b4d71a4417dc0e1281a1e4b3ba

SHA1
1f83180cd8f86acf65689d554c0f03c171834a67

SHA256
78caaf3d7860d0fb05f04100968deea28e0ede31aa48456987f657bb20af908b

SHA512
3b31796ff8a6a444657fa19e965cbc455cd707f7ebded1dea1ecab51a1b24472c263da832d8de40904729572e4d18cb7abe5355eb43c4d5115a6c73473e617c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F42.exe
Filesize
495KB

MD5
af8881c2d64c8388e2f11c301bbe7f95

SHA1
605163d12672e385ed797d2fced6291bff93198a

SHA256
b8779766207a8d95a61e66235379705446b34f7c66eab6a4d763321f4597eece

SHA512
901e863732287cfbeb2625d6a5733deb70d78cbf92104fb453a3a24c5e3ee37aeb99d2154eac52b2f35680d69782056057054c4cbdbaae945fd2c2677b92b835

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F42.exe
Filesize
495KB

MD5
af8881c2d64c8388e2f11c301bbe7f95

SHA1
605163d12672e385ed797d2fced6291bff93198a

SHA256
b8779766207a8d95a61e66235379705446b34f7c66eab6a4d763321f4597eece

SHA512
901e863732287cfbeb2625d6a5733deb70d78cbf92104fb453a3a24c5e3ee37aeb99d2154eac52b2f35680d69782056057054c4cbdbaae945fd2c2677b92b835

Download Submit
C:\Users\Admin\AppData\Local\Temp\725.exe
Filesize
317KB

MD5
49095a94bbd575988d6878d8bc31a409

SHA1
f84457a55a5d67073b827da08a9b868021e17ff6

SHA256
07c7e4b67df083d4e0c655fa6641ac382de3ef6cc6eca02a16de60130ec262a1

SHA512
7830cf1c34659e699a0508669f712214fa07df7808b6e30d0cf2cc766fc85764907b44c10903d6ef07d1625ce67e55fde4889141b466840fcd110ef34e292f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\725.exe
Filesize
317KB

MD5
49095a94bbd575988d6878d8bc31a409

SHA1
f84457a55a5d67073b827da08a9b868021e17ff6

SHA256
07c7e4b67df083d4e0c655fa6641ac382de3ef6cc6eca02a16de60130ec262a1

SHA512
7830cf1c34659e699a0508669f712214fa07df7808b6e30d0cf2cc766fc85764907b44c10903d6ef07d1625ce67e55fde4889141b466840fcd110ef34e292f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEF.exe
Filesize
364KB

MD5
44c7a01a752ae8d0c1f7380c3f6d8f5a

SHA1
3782472ec862735fb79e4fdc809142e22e905d36

SHA256
fd3338be6aa05e44e93bb1ed931afb6721df35377d94a56c137d3e7d25cf6e5e

SHA512
6cb3ac6303251f5e145678d9f1b176ebc5f3aa877fda4004166500f3ac8b1093c3d584f04d134b5bb02f507631038cb8395726f804da7747ebb9af30c4553b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEF.exe
Filesize
364KB

MD5
44c7a01a752ae8d0c1f7380c3f6d8f5a

SHA1
3782472ec862735fb79e4fdc809142e22e905d36

SHA256
fd3338be6aa05e44e93bb1ed931afb6721df35377d94a56c137d3e7d25cf6e5e

SHA512
6cb3ac6303251f5e145678d9f1b176ebc5f3aa877fda4004166500f3ac8b1093c3d584f04d134b5bb02f507631038cb8395726f804da7747ebb9af30c4553b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FADF.exe
Filesize
2.6MB

MD5
818c085c2526f08bc2b3a7959744428e

SHA1
7ff5628e30f7dfe3918470634b5d94f0d93a4aff

SHA256
a9f77c59dc2078baccd91603caf2a0330324dbb6f005102d1d0616dd236fe872

SHA512
ef768ba8f9df82c5a41b432963f9f0a93ff588179c10eb34baf03c3fb9c0ab4e073570beb334fd03781f073f45c6f33d3c0859e4ec8e4d21f096f86154ec5f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FADF.exe
Filesize
2.6MB

MD5
818c085c2526f08bc2b3a7959744428e

SHA1
7ff5628e30f7dfe3918470634b5d94f0d93a4aff

SHA256
a9f77c59dc2078baccd91603caf2a0330324dbb6f005102d1d0616dd236fe872

SHA512
ef768ba8f9df82c5a41b432963f9f0a93ff588179c10eb34baf03c3fb9c0ab4e073570beb334fd03781f073f45c6f33d3c0859e4ec8e4d21f096f86154ec5f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
345KB

MD5
58d95faa5d76221e6d241dbcc5a50db9

SHA1
d268271eb2f16cc4ada2948b6952ccde926fa94a

SHA256
1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4

SHA512
1b07c493dc7a6e8bbbf76fb3cac10f5100518799d86ff66063a88e210c69f0f23422274d6c5516eb4ca8028ca159870d41801e3c5b3b70950e752d5e3d1d3903

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
345KB

MD5
58d95faa5d76221e6d241dbcc5a50db9

SHA1
d268271eb2f16cc4ada2948b6952ccde926fa94a

SHA256
1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4

SHA512
1b07c493dc7a6e8bbbf76fb3cac10f5100518799d86ff66063a88e210c69f0f23422274d6c5516eb4ca8028ca159870d41801e3c5b3b70950e752d5e3d1d3903

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
345KB

MD5
58d95faa5d76221e6d241dbcc5a50db9

SHA1
d268271eb2f16cc4ada2948b6952ccde926fa94a

SHA256
1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4

SHA512
1b07c493dc7a6e8bbbf76fb3cac10f5100518799d86ff66063a88e210c69f0f23422274d6c5516eb4ca8028ca159870d41801e3c5b3b70950e752d5e3d1d3903

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
345KB

MD5
58d95faa5d76221e6d241dbcc5a50db9

SHA1
d268271eb2f16cc4ada2948b6952ccde926fa94a

SHA256
1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4

SHA512
1b07c493dc7a6e8bbbf76fb3cac10f5100518799d86ff66063a88e210c69f0f23422274d6c5516eb4ca8028ca159870d41801e3c5b3b70950e752d5e3d1d3903

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
345KB

MD5
58d95faa5d76221e6d241dbcc5a50db9

SHA1
d268271eb2f16cc4ada2948b6952ccde926fa94a

SHA256
1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4

SHA512
1b07c493dc7a6e8bbbf76fb3cac10f5100518799d86ff66063a88e210c69f0f23422274d6c5516eb4ca8028ca159870d41801e3c5b3b70950e752d5e3d1d3903

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
345KB

MD5
58d95faa5d76221e6d241dbcc5a50db9

SHA1
d268271eb2f16cc4ada2948b6952ccde926fa94a

SHA256
1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4

SHA512
1b07c493dc7a6e8bbbf76fb3cac10f5100518799d86ff66063a88e210c69f0f23422274d6c5516eb4ca8028ca159870d41801e3c5b3b70950e752d5e3d1d3903

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
345KB

MD5
58d95faa5d76221e6d241dbcc5a50db9

SHA1
d268271eb2f16cc4ada2948b6952ccde926fa94a

SHA256
1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4

SHA512
1b07c493dc7a6e8bbbf76fb3cac10f5100518799d86ff66063a88e210c69f0f23422274d6c5516eb4ca8028ca159870d41801e3c5b3b70950e752d5e3d1d3903

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
345KB

MD5
58d95faa5d76221e6d241dbcc5a50db9

SHA1
d268271eb2f16cc4ada2948b6952ccde926fa94a

SHA256
1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4

SHA512
1b07c493dc7a6e8bbbf76fb3cac10f5100518799d86ff66063a88e210c69f0f23422274d6c5516eb4ca8028ca159870d41801e3c5b3b70950e752d5e3d1d3903

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup1.exe
Filesize
1.3MB

MD5
3afac3d5b79c3dd40e77cc6c244129e0

SHA1
60ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2

SHA256
035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca

SHA512
e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup1.exe
Filesize
1.3MB

MD5
3afac3d5b79c3dd40e77cc6c244129e0

SHA1
60ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2

SHA256
035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca

SHA512
e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup1.exe
Filesize
1.3MB

MD5
3afac3d5b79c3dd40e77cc6c244129e0

SHA1
60ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2

SHA256
035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca

SHA512
e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup1.exe
Filesize
1.3MB

MD5
3afac3d5b79c3dd40e77cc6c244129e0

SHA1
60ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2

SHA256
035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca

SHA512
e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup1.exe
Filesize
1.3MB

MD5
3afac3d5b79c3dd40e77cc6c244129e0

SHA1
60ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2

SHA256
035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca

SHA512
e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup1.exe
Filesize
1.3MB

MD5
3afac3d5b79c3dd40e77cc6c244129e0

SHA1
60ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2

SHA256
035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca

SHA512
e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
3afac3d5b79c3dd40e77cc6c244129e0

SHA1
60ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2

SHA256
035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca

SHA512
e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
3afac3d5b79c3dd40e77cc6c244129e0

SHA1
60ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2

SHA256
035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca

SHA512
e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f

Download Submit
memory/1264-1177-0x0000000002F80000-0x0000000002FA2000-memory.dmp

Filesize
136KB

Download
memory/1264-745-0x0000000002F50000-0x0000000002F77000-memory.dmp

Filesize
156KB

Download
memory/1264-743-0x0000000002F80000-0x0000000002FA2000-memory.dmp

Filesize
136KB

Download
memory/1264-564-0x0000000000000000-mapping.dmp

Download
memory/1300-1143-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/1300-576-0x0000000000580000-0x000000000058B000-memory.dmp

Filesize
44KB

Download
memory/1300-572-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/1300-363-0x0000000000000000-mapping.dmp

Download
memory/1632-1181-0x0000000000000000-mapping.dmp

Download
memory/2192-620-0x0000000000000000-mapping.dmp

Download
memory/2192-754-0x0000000003290000-0x0000000003295000-memory.dmp

Filesize
20KB

Download
memory/2192-807-0x0000000003280000-0x0000000003289000-memory.dmp

Filesize
36KB

Download
memory/2192-1176-0x0000000003290000-0x0000000003295000-memory.dmp

Filesize
20KB

Download
memory/2592-671-0x0000000000000000-mapping.dmp

Download
memory/2592-810-0x0000000002F70000-0x0000000002F76000-memory.dmp

Filesize
24KB

Download
memory/2592-812-0x0000000002F60000-0x0000000002F6B000-memory.dmp

Filesize
44KB

Download
memory/2592-1179-0x0000000002F70000-0x0000000002F76000-memory.dmp

Filesize
24KB

Download
memory/2704-146-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-141-0x0000000000680000-0x00000000007CA000-memory.dmp

Filesize
1.3MB

Download
memory/2704-154-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-153-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-152-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-124-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-123-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-122-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-151-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-121-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-125-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-149-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-148-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-147-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-126-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-1178-0x0000000000800000-0x0000000000807000-memory.dmp

Filesize
28KB

Download
memory/2704-133-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-127-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-135-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-145-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-120-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-132-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-143-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2704-138-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-131-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-144-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-128-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-142-0x0000000000680000-0x00000000007CA000-memory.dmp

Filesize
1.3MB

Download
memory/2704-129-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-130-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-156-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2704-751-0x00000000005F0000-0x00000000005FD000-memory.dmp

Filesize
52KB

Download
memory/2704-137-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-748-0x0000000000800000-0x0000000000807000-memory.dmp

Filesize
28KB

Download
memory/2704-140-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-139-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-155-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-725-0x0000000000000000-mapping.dmp

Download
memory/2704-119-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-136-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2856-445-0x0000000000000000-mapping.dmp

Download
memory/2856-638-0x0000000002F50000-0x0000000002F59000-memory.dmp

Filesize
36KB

Download
memory/2856-635-0x0000000002F60000-0x0000000002F65000-memory.dmp

Filesize
20KB

Download
memory/2856-1173-0x0000000002F60000-0x0000000002F65000-memory.dmp

Filesize
20KB

Download
memory/3352-441-0x00000000007F0000-0x00000000007F9000-memory.dmp

Filesize
36KB

Download
memory/3352-443-0x00000000007E0000-0x00000000007EF000-memory.dmp

Filesize
60KB

Download
memory/3352-401-0x0000000000000000-mapping.dmp

Download
memory/3352-1106-0x00000000007F0000-0x00000000007F9000-memory.dmp

Filesize
36KB

Download
memory/4916-566-0x0000000000E30000-0x0000000000E36000-memory.dmp

Filesize
24KB

Download
memory/4916-568-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/4916-507-0x0000000000000000-mapping.dmp

Download
memory/4916-1142-0x0000000000E30000-0x0000000000E36000-memory.dmp

Filesize
24KB

Download
memory/5016-162-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-168-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-161-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-173-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-163-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-164-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-174-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-165-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-167-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-157-0x0000000000000000-mapping.dmp

Download
memory/5016-169-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-160-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-175-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-170-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-171-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-159-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5016-172-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5244-849-0x0000000002F00000-0x0000000002F08000-memory.dmp

Filesize
32KB

Download
memory/5244-1180-0x0000000002F00000-0x0000000002F08000-memory.dmp

Filesize
32KB

Download
memory/5244-850-0x0000000002EF0000-0x0000000002EFB000-memory.dmp

Filesize
44KB

Download
memory/5244-778-0x0000000000000000-mapping.dmp

Download
memory/6736-1137-0x0000000000000000-mapping.dmp

Download
memory/6736-1153-0x00000159FDFE0000-0x00000159FE002000-memory.dmp

Filesize
136KB

Download
memory/6736-1156-0x00000159FEB60000-0x00000159FEBD6000-memory.dmp

Filesize
472KB

Download
memory/6808-1147-0x0000000000000000-mapping.dmp

Download
memory/7040-1195-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/7040-1174-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/7040-1169-0x0000000140003FEC-mapping.dmp

Download
memory/7220-1301-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/7220-1184-0x0000000140003FEC-mapping.dmp

Download
memory/7220-1187-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/7304-1259-0x0000000000880000-0x0000000000BF2000-memory.dmp

Filesize
3.4MB

Download
memory/7304-1221-0x0000000000880000-0x0000000000BF2000-memory.dmp

Filesize
3.4MB

Download
memory/7304-1192-0x0000000000000000-mapping.dmp

Download
memory/7304-1280-0x0000000000880000-0x0000000000BF2000-memory.dmp

Filesize
3.4MB

Download
memory/7780-1268-0x0000000000000000-mapping.dmp

Download
memory/7832-1272-0x0000000140003FEC-mapping.dmp

Download
memory/7832-1286-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/7880-1277-0x0000000000000000-mapping.dmp

Download
memory/8036-1298-0x0000000000000000-mapping.dmp

Download
memory/8036-1324-0x0000000000880000-0x0000000000BF2000-memory.dmp

Filesize
3.4MB

Download
memory/8036-1368-0x0000000000880000-0x0000000000BF2000-memory.dmp

Filesize
3.4MB

Download
memory/8512-1377-0x0000000000000000-mapping.dmp

Download
memory/8640-1397-0x0000000000000000-mapping.dmp

Download
memory/8692-1400-0x0000000140003FEC-mapping.dmp

Download
memory/8756-1404-0x0000000000000000-mapping.dmp

Download
memory/9212-1478-0x0000000000000000-mapping.dmp

Download
memory/9336-1498-0x0000000000000000-mapping.dmp

Download
memory/9388-1501-0x0000000140003FEC-mapping.dmp

Download
memory/9452-1505-0x0000000000000000-mapping.dmp

Download
memory/9908-1579-0x0000000000000000-mapping.dmp

Download
memory/10036-1599-0x0000000000000000-mapping.dmp

Download
memory/10088-1602-0x0000000140003FEC-mapping.dmp

Download
memory/10184-1606-0x0000000000000000-mapping.dmp

Download
memory/10648-1679-0x0000000000000000-mapping.dmp

Download
memory/10776-1699-0x0000000000000000-mapping.dmp

Download
memory/10828-1702-0x0000000140003FEC-mapping.dmp

Download
memory/100552-184-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/100552-372-0x000000000AD40000-0x000000000B26C000-memory.dmp

Filesize
5.2MB

Download
memory/100552-181-0x000000000042217E-mapping.dmp

Download
memory/100552-852-0x000000000AA10000-0x000000000AA60000-memory.dmp

Filesize
320KB

Download
memory/100552-288-0x0000000008F20000-0x0000000008F32000-memory.dmp

Filesize
72KB

Download
memory/100552-313-0x0000000009F70000-0x000000000A46E000-memory.dmp

Filesize
5.0MB

Download
memory/100552-286-0x0000000008FD0000-0x00000000090DA000-memory.dmp

Filesize
1.0MB

Download
memory/100552-292-0x00000000090E0000-0x000000000912B000-memory.dmp

Filesize
300KB

Download
memory/100552-285-0x0000000009460000-0x0000000009A66000-memory.dmp

Filesize
6.0MB

Download
memory/100552-182-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/100552-851-0x000000000A990000-0x000000000AA06000-memory.dmp

Filesize
472KB

Download
memory/100552-307-0x00000000092B0000-0x0000000009342000-memory.dmp

Filesize
584KB

Download
memory/100552-368-0x000000000A640000-0x000000000A802000-memory.dmp

Filesize
1.8MB

Download
memory/100552-176-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/100552-194-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/100552-290-0x0000000008F80000-0x0000000008FBE000-memory.dmp

Filesize
248KB

Download
memory/100552-190-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/100552-188-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/100552-321-0x00000000093C0000-0x0000000009426000-memory.dmp

Filesize
408KB

Download
memory/100552-191-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/100588-189-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/100588-186-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/100588-187-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/100588-183-0x0000000000000000-mapping.dmp

Download
memory/100588-192-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/100692-200-0x0000000000000000-mapping.dmp

Download
memory/101184-1175-0x0000000000D40000-0x0000000001FE8000-memory.dmp

Filesize
18.7MB

Download
memory/101184-303-0x0000000000D40000-0x0000000001FE8000-memory.dmp

Filesize
18.7MB

Download
memory/101184-300-0x0000000000000000-mapping.dmp

Download
memory/101184-805-0x0000000000D40000-0x0000000001FE8000-memory.dmp

Filesize
18.7MB

Download
memory/101212-369-0x0000000005050000-0x00000000050FE000-memory.dmp

Filesize
696KB

Download
memory/101212-775-0x0000000005AC0000-0x0000000005B14000-memory.dmp

Filesize
336KB

Download
memory/101212-304-0x0000000000000000-mapping.dmp

Download
memory/101212-379-0x0000000005100000-0x0000000005156000-memory.dmp

Filesize
344KB

Download
memory/101212-354-0x0000000000860000-0x00000000008E2000-memory.dmp

Filesize
520KB

Download
memory/101212-414-0x00000000051F0000-0x0000000005244000-memory.dmp

Filesize
336KB

Download
memory/101212-421-0x0000000005240000-0x000000000528C000-memory.dmp

Filesize
304KB

Download