nanocore | 28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18

Analysis

max time kernel
196s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
Size

1.1MB
MD5

44657060c3b9aa17540d648ceebbbb5d
SHA1

23701f8f47348d54cfacfe1c879122f4a267a198
SHA256

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18
SHA512

8d3eafc2ffb604899c1de8b597fb13885a34376e835daf698b0ac6c5be32263c8f4d8c1c29b75fa06a2cf196fe378b606d0222f21a853345b786bff480dbe967
SSDEEP

24576:Ltb20pkECqT5TBWgNQ7a5zSphZJQriY6A:I3g5tQ7a5z0hZSf5

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

savagescape.duckdns.org:58780

Mutex

92ad5adc-fa7c-4fdd-8aea-fec01e1564b7

Attributes

activate_away_mode
true
backup_connection_host
savagescape.duckdns.org
backup_dns_server
buffer_size
65535
build_time
2015-01-23T19:50:08.252449036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
58780
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
92ad5adc-fa7c-4fdd-8aea-fec01e1564b7
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
savagescape.duckdns.org
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe,explorer.exe"	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 2 IoCs

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

pid	process
3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1460	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

2820 netsh.exe
4580 netsh.exe
3384 netsh.exe

pid	process
2820	netsh.exe
4580	netsh.exe
3384	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

description	pid	process	target process
PID 1656 set thread context of 1408	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 22 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2112	schtasks.exe
5020	schtasks.exe
4592	schtasks.exe
2112	schtasks.exe
4896	schtasks.exe
1108	schtasks.exe
2412	schtasks.exe
3416	schtasks.exe
3040	schtasks.exe
3952	schtasks.exe
116	schtasks.exe
4820	schtasks.exe
3528	schtasks.exe
4256	schtasks.exe
1368	schtasks.exe
3272	schtasks.exe
4244	schtasks.exe
3812	schtasks.exe
4320	schtasks.exe
2172	schtasks.exe
2400	schtasks.exe
4820	schtasks.exe

NTFS ADS 3 IoCs

Processes:

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe:Zone.Identifier:$DATA	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe:Zone.Identifier:$DATA	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe:Zone.Identifier:$DATA	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exeRegAsm.exe28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

pid	process
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1408	RegAsm.exe
1408	RegAsm.exe
1408	RegAsm.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1460	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1460	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

1408 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1408 RegAsm.exe

pid	process
1408	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1408	RegAsm.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

pid	process
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1460	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1460	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1460	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

pid	process
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1460	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1460	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1460	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.execmd.execmd.execmd.execmd.execmd.exe28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

description	pid	process	target process
PID 1656 wrote to memory of 4580	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	netsh.exe
PID 1656 wrote to memory of 4580	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	netsh.exe
PID 1656 wrote to memory of 4580	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	netsh.exe
PID 1656 wrote to memory of 204	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 204	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 204	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 4820	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1656 wrote to memory of 4820	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1656 wrote to memory of 4820	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 204 wrote to memory of 2244	204	cmd.exe	at.exe
PID 204 wrote to memory of 2244	204	cmd.exe	at.exe
PID 204 wrote to memory of 2244	204	cmd.exe	at.exe
PID 1656 wrote to memory of 4320	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 4320	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 4320	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 3272	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1656 wrote to memory of 3272	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1656 wrote to memory of 3272	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 4320 wrote to memory of 4380	4320	cmd.exe	at.exe
PID 4320 wrote to memory of 4380	4320	cmd.exe	at.exe
PID 4320 wrote to memory of 4380	4320	cmd.exe	at.exe
PID 1656 wrote to memory of 1408	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	RegAsm.exe
PID 1656 wrote to memory of 1408	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	RegAsm.exe
PID 1656 wrote to memory of 1408	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	RegAsm.exe
PID 1656 wrote to memory of 1408	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	RegAsm.exe
PID 1656 wrote to memory of 1408	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	RegAsm.exe
PID 1656 wrote to memory of 1408	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	RegAsm.exe
PID 1656 wrote to memory of 1408	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	RegAsm.exe
PID 1656 wrote to memory of 1408	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	RegAsm.exe
PID 1656 wrote to memory of 4896	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 4896	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 4896	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 4244	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1656 wrote to memory of 4244	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1656 wrote to memory of 4244	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 4896 wrote to memory of 3820	4896	cmd.exe	at.exe
PID 4896 wrote to memory of 3820	4896	cmd.exe	at.exe
PID 4896 wrote to memory of 3820	4896	cmd.exe	at.exe
PID 1656 wrote to memory of 4348	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 4348	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 4348	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 3416	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1656 wrote to memory of 3416	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1656 wrote to memory of 3416	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 4348 wrote to memory of 4796	4348	cmd.exe	at.exe
PID 4348 wrote to memory of 4796	4348	cmd.exe	at.exe
PID 4348 wrote to memory of 4796	4348	cmd.exe	at.exe
PID 1656 wrote to memory of 448	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 448	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 448	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 3528	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1656 wrote to memory of 3528	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1656 wrote to memory of 3528	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 448 wrote to memory of 4656	448	cmd.exe	at.exe
PID 448 wrote to memory of 4656	448	cmd.exe	at.exe
PID 448 wrote to memory of 4656	448	cmd.exe	at.exe
PID 3804 wrote to memory of 3384	3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	netsh.exe
PID 3804 wrote to memory of 3384	3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	netsh.exe
PID 3804 wrote to memory of 3384	3804	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	netsh.exe
PID 1656 wrote to memory of 312	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 312	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 312	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1656 wrote to memory of 4820	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1656 wrote to memory of 4820	1656	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
"C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:2244

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:4380

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:3272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:3820

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:4796

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:4656

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:312

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:64

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:4404

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:3400

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:4456

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:4980

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:3456

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:2872

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:3948

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:4928

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:3392

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:4736

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:4660

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:4224

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:4220

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:1904

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:3856

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:504

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:5008

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:4828

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:3684

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:3320

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:3428

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:4976

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:4876

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:3468

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:4400

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:3272

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:4652

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:4820

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:5004

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:4992

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:4164

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:2512

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:1368

C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:3384

C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1460

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
Filesize
1.1MB

MD5
44657060c3b9aa17540d648ceebbbb5d

SHA1
23701f8f47348d54cfacfe1c879122f4a267a198

SHA256
28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18

SHA512
8d3eafc2ffb604899c1de8b597fb13885a34376e835daf698b0ac6c5be32263c8f4d8c1c29b75fa06a2cf196fe378b606d0222f21a853345b786bff480dbe967

Download Submit
C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
Filesize
1.1MB

MD5
44657060c3b9aa17540d648ceebbbb5d

SHA1
23701f8f47348d54cfacfe1c879122f4a267a198

SHA256
28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18

SHA512
8d3eafc2ffb604899c1de8b597fb13885a34376e835daf698b0ac6c5be32263c8f4d8c1c29b75fa06a2cf196fe378b606d0222f21a853345b786bff480dbe967

Download Submit
C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
Filesize
1.1MB

MD5
44657060c3b9aa17540d648ceebbbb5d

SHA1
23701f8f47348d54cfacfe1c879122f4a267a198

SHA256
28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18

SHA512
8d3eafc2ffb604899c1de8b597fb13885a34376e835daf698b0ac6c5be32263c8f4d8c1c29b75fa06a2cf196fe378b606d0222f21a853345b786bff480dbe967

Download Submit
C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
Filesize
1.1MB

MD5
44657060c3b9aa17540d648ceebbbb5d

SHA1
23701f8f47348d54cfacfe1c879122f4a267a198

SHA256
28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18

SHA512
8d3eafc2ffb604899c1de8b597fb13885a34376e835daf698b0ac6c5be32263c8f4d8c1c29b75fa06a2cf196fe378b606d0222f21a853345b786bff480dbe967

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\127.0.0.1\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-157-0x0000000000000000-mapping.dmp

Download
memory/116-187-0x0000000000000000-mapping.dmp

Download
memory/204-133-0x0000000000000000-mapping.dmp

Download
memory/312-155-0x0000000000000000-mapping.dmp

Download
memory/448-149-0x0000000000000000-mapping.dmp

Download
memory/504-192-0x0000000000000000-mapping.dmp

Download
memory/1108-214-0x0000000000000000-mapping.dmp

Download
memory/1408-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1408-161-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/1408-165-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/1408-160-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/1408-159-0x00000000056E0000-0x0000000005C84000-memory.dmp

Filesize
5.6MB

Download
memory/1408-140-0x0000000000000000-mapping.dmp

Download
memory/1904-188-0x0000000000000000-mapping.dmp

Download
memory/2112-163-0x0000000000000000-mapping.dmp

Download
memory/2112-203-0x0000000000000000-mapping.dmp

Download
memory/2172-199-0x0000000000000000-mapping.dmp

Download
memory/2244-135-0x0000000000000000-mapping.dmp

Download
memory/2412-218-0x0000000000000000-mapping.dmp

Download
memory/2820-212-0x0000000000000000-mapping.dmp

Download
memory/2872-172-0x0000000000000000-mapping.dmp

Download
memory/3040-167-0x0000000000000000-mapping.dmp

Download
memory/3272-138-0x0000000000000000-mapping.dmp

Download
memory/3272-215-0x0000000000000000-mapping.dmp

Download
memory/3320-200-0x0000000000000000-mapping.dmp

Download
memory/3384-154-0x0000000000000000-mapping.dmp

Download
memory/3392-178-0x0000000000000000-mapping.dmp

Download
memory/3400-164-0x0000000000000000-mapping.dmp

Download
memory/3416-147-0x0000000000000000-mapping.dmp

Download
memory/3428-202-0x0000000000000000-mapping.dmp

Download
memory/3456-170-0x0000000000000000-mapping.dmp

Download
memory/3468-210-0x0000000000000000-mapping.dmp

Download
memory/3528-150-0x0000000000000000-mapping.dmp

Download
memory/3684-198-0x0000000000000000-mapping.dmp

Download
memory/3812-171-0x0000000000000000-mapping.dmp

Download
memory/3820-144-0x0000000000000000-mapping.dmp

Download
memory/3856-190-0x0000000000000000-mapping.dmp

Download
memory/3948-174-0x0000000000000000-mapping.dmp

Download
memory/3952-175-0x0000000000000000-mapping.dmp

Download
memory/4220-186-0x0000000000000000-mapping.dmp

Download
memory/4224-184-0x0000000000000000-mapping.dmp

Download
memory/4244-143-0x0000000000000000-mapping.dmp

Download
memory/4256-179-0x0000000000000000-mapping.dmp

Download
memory/4320-195-0x0000000000000000-mapping.dmp

Download
memory/4320-137-0x0000000000000000-mapping.dmp

Download
memory/4348-146-0x0000000000000000-mapping.dmp

Download
memory/4380-139-0x0000000000000000-mapping.dmp

Download
memory/4400-213-0x0000000000000000-mapping.dmp

Download
memory/4404-162-0x0000000000000000-mapping.dmp

Download
memory/4456-166-0x0000000000000000-mapping.dmp

Download
memory/4580-132-0x0000000000000000-mapping.dmp

Download
memory/4592-191-0x0000000000000000-mapping.dmp

Download
memory/4652-217-0x0000000000000000-mapping.dmp

Download
memory/4656-151-0x0000000000000000-mapping.dmp

Download
memory/4660-182-0x0000000000000000-mapping.dmp

Download
memory/4736-180-0x0000000000000000-mapping.dmp

Download
memory/4796-148-0x0000000000000000-mapping.dmp

Download
memory/4820-156-0x0000000000000000-mapping.dmp

Download
memory/4820-134-0x0000000000000000-mapping.dmp

Download
memory/4820-219-0x0000000000000000-mapping.dmp

Download
memory/4828-196-0x0000000000000000-mapping.dmp

Download
memory/4876-208-0x0000000000000000-mapping.dmp

Download
memory/4896-142-0x0000000000000000-mapping.dmp

Download
memory/4896-209-0x0000000000000000-mapping.dmp

Download
memory/4928-176-0x0000000000000000-mapping.dmp

Download
memory/4976-204-0x0000000000000000-mapping.dmp

Download
memory/4980-168-0x0000000000000000-mapping.dmp

Download
memory/5008-194-0x0000000000000000-mapping.dmp

Download
memory/5020-183-0x0000000000000000-mapping.dmp

Download