a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a

Analysis

max time kernel
224s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
Size

1.4MB
MD5

26578becc2ec7383cd479e255bf77c75
SHA1

a30ea96ce7c2b66b9b68a087a36b3bb064f72263
SHA256

a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a
SHA512

9f201cdb3dbe8d7433280dcc1e3f39bbbd82d12df847ace035716136e5955f668c2eca980c1758755740d78229646683fab4b2f6269660e1cb16bce4d71de7dd
SSDEEP

24576:Tgh8H4PjUaWJIBRZ0fw9W/gZlc/MxxrpgKrIQHPPPmU7UNkbxVhkR9U4KZjWHDm2:Uh88vRPkg3Cerp53PHn3k3jAWHyf0l

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 28 IoCs

pid	Process
3844	B820A2.EXE
1668	B820A2.EXE
2004	B820A2.EXE
4896	B820A2.EXE
4876	B820A2.EXE
1844	B820A2.EXE
2548	B820A2.EXE
3684	B820A2.EXE
4984	B820A2.EXE
4140	B820A2.EXE
1340	B820A2.EXE
5016	B820A2.EXE
2556	B820A2.EXE
4716	B820A2.EXE
4408	B820A2.EXE
4556	B820A2.EXE
1844	B820A2.EXE
2016	explorer.exe
4580	explorer.exe
1724	B820A2.EXE
616	B820A2.EXE
4972	B820A2.EXE
1924	B820A2.EXE
216	B820A2.EXE
3728	B820A2.EXE
2200	B820A2.EXE
1584	B820A2.EXE
5132	B820A2.EXE

Loads dropped DLL 64 IoCs

pid	Process
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3844	B820A2.EXE
3844	B820A2.EXE
3844	B820A2.EXE
3844	B820A2.EXE
3844	B820A2.EXE
3844	B820A2.EXE
3844	B820A2.EXE
1668	B820A2.EXE
1668	B820A2.EXE
1668	B820A2.EXE
1668	B820A2.EXE
1668	B820A2.EXE
1668	B820A2.EXE
1668	B820A2.EXE
2004	B820A2.EXE
2004	B820A2.EXE
2004	B820A2.EXE
2004	B820A2.EXE
2004	B820A2.EXE
2004	B820A2.EXE
2004	B820A2.EXE
4896	B820A2.EXE
4896	B820A2.EXE
4896	B820A2.EXE
4896	B820A2.EXE
4896	B820A2.EXE
4896	B820A2.EXE
4896	B820A2.EXE
4876	B820A2.EXE
4876	B820A2.EXE
4876	B820A2.EXE
4876	B820A2.EXE
4876	B820A2.EXE
4876	B820A2.EXE
4876	B820A2.EXE
1844	B820A2.EXE
1844	B820A2.EXE
1844	B820A2.EXE
1844	B820A2.EXE
1844	B820A2.EXE
1844	B820A2.EXE
1844	B820A2.EXE
2548	B820A2.EXE
2548	B820A2.EXE
2548	B820A2.EXE
2548	B820A2.EXE
2548	B820A2.EXE
2548	B820A2.EXE
2548	B820A2.EXE
3684	B820A2.EXE
3684	B820A2.EXE
3684	B820A2.EXE
3684	B820A2.EXE
3684	B820A2.EXE
3684	B820A2.EXE
3684	B820A2.EXE
4984	B820A2.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 29 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	explorer.exe
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	explorer.exe
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe

Suspicious behavior: AddClipboardFormatListener 27 IoCs

pid	Process
968	explorer.exe
620	explorer.exe
4264	explorer.exe
4624	explorer.exe
4304	explorer.exe
4636	explorer.exe
1012	explorer.exe
4396	explorer.exe
1240	explorer.exe
644	explorer.exe
812	explorer.exe
1144	explorer.exe
1572	explorer.exe
4336	explorer.exe
748	explorer.exe
2036	explorer.exe
2952	explorer.exe
4376	explorer.exe
1152	explorer.exe
1116	explorer.exe
4720	explorer.exe
4580	explorer.exe
1436	explorer.exe
2120	explorer.exe
2744	explorer.exe
2528	explorer.exe
5144	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
3844	B820A2.EXE
3844	B820A2.EXE
3844	B820A2.EXE
3844	B820A2.EXE
3844	B820A2.EXE
3844	B820A2.EXE
1668	B820A2.EXE
1668	B820A2.EXE
1668	B820A2.EXE
1668	B820A2.EXE
1668	B820A2.EXE
1668	B820A2.EXE
2004	B820A2.EXE
2004	B820A2.EXE
4264	explorer.exe
4264	explorer.exe
4304	explorer.exe
4304	explorer.exe
2004	B820A2.EXE
2004	B820A2.EXE
2004	B820A2.EXE
2004	B820A2.EXE
4896	B820A2.EXE
4896	B820A2.EXE
4896	B820A2.EXE
4896	B820A2.EXE
4896	B820A2.EXE
4896	B820A2.EXE
4636	explorer.exe
4636	explorer.exe
620	explorer.exe
620	explorer.exe
4876	B820A2.EXE
4876	B820A2.EXE
4876	B820A2.EXE
4876	B820A2.EXE
4876	B820A2.EXE
4876	B820A2.EXE
4624	explorer.exe
4624	explorer.exe
1844	B820A2.EXE
1844	B820A2.EXE
1844	B820A2.EXE
1844	B820A2.EXE
1844	B820A2.EXE
1844	B820A2.EXE
968	explorer.exe
968	explorer.exe
2548	B820A2.EXE
2548	B820A2.EXE
2548	B820A2.EXE
2548	B820A2.EXE
2548	B820A2.EXE
2548	B820A2.EXE
3684	B820A2.EXE
3684	B820A2.EXE
3684	B820A2.EXE
3684	B820A2.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3684	3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe	83
PID 3068 wrote to memory of 3684	3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe	83
PID 3068 wrote to memory of 3684	3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe	83
PID 3068 wrote to memory of 3844	3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe	84
PID 3068 wrote to memory of 3844	3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe	84
PID 3068 wrote to memory of 3844	3068	a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe	84
PID 3844 wrote to memory of 1532	3844	B820A2.EXE	85
PID 3844 wrote to memory of 1532	3844	B820A2.EXE	85
PID 3844 wrote to memory of 1532	3844	B820A2.EXE	85
PID 3844 wrote to memory of 1668	3844	B820A2.EXE	88
PID 3844 wrote to memory of 1668	3844	B820A2.EXE	88
PID 3844 wrote to memory of 1668	3844	B820A2.EXE	88
PID 1668 wrote to memory of 3556	1668	B820A2.EXE	89
PID 1668 wrote to memory of 3556	1668	B820A2.EXE	89
PID 1668 wrote to memory of 3556	1668	B820A2.EXE	89
PID 1668 wrote to memory of 2004	1668	B820A2.EXE	90
PID 1668 wrote to memory of 2004	1668	B820A2.EXE	90
PID 1668 wrote to memory of 2004	1668	B820A2.EXE	90
PID 2004 wrote to memory of 4504	2004	B820A2.EXE	92
PID 2004 wrote to memory of 4504	2004	B820A2.EXE	92
PID 2004 wrote to memory of 4504	2004	B820A2.EXE	92
PID 2004 wrote to memory of 4896	2004	B820A2.EXE	93
PID 2004 wrote to memory of 4896	2004	B820A2.EXE	93
PID 2004 wrote to memory of 4896	2004	B820A2.EXE	93
PID 4896 wrote to memory of 3628	4896	B820A2.EXE	95
PID 4896 wrote to memory of 3628	4896	B820A2.EXE	95
PID 4896 wrote to memory of 3628	4896	B820A2.EXE	95
PID 4896 wrote to memory of 4876	4896	B820A2.EXE	96
PID 4896 wrote to memory of 4876	4896	B820A2.EXE	96
PID 4896 wrote to memory of 4876	4896	B820A2.EXE	96
PID 4876 wrote to memory of 2176	4876	B820A2.EXE	100
PID 4876 wrote to memory of 2176	4876	B820A2.EXE	100
PID 4876 wrote to memory of 2176	4876	B820A2.EXE	100
PID 4876 wrote to memory of 1844	4876	B820A2.EXE	101
PID 4876 wrote to memory of 1844	4876	B820A2.EXE	101
PID 4876 wrote to memory of 1844	4876	B820A2.EXE	101
PID 1844 wrote to memory of 4968	1844	B820A2.EXE	103
PID 1844 wrote to memory of 4968	1844	B820A2.EXE	103
PID 1844 wrote to memory of 4968	1844	B820A2.EXE	103
PID 1844 wrote to memory of 2548	1844	B820A2.EXE	104
PID 1844 wrote to memory of 2548	1844	B820A2.EXE	104
PID 1844 wrote to memory of 2548	1844	B820A2.EXE	104
PID 2548 wrote to memory of 4240	2548	B820A2.EXE	106
PID 2548 wrote to memory of 4240	2548	B820A2.EXE	106
PID 2548 wrote to memory of 4240	2548	B820A2.EXE	106
PID 2548 wrote to memory of 3684	2548	B820A2.EXE	107
PID 2548 wrote to memory of 3684	2548	B820A2.EXE	107
PID 2548 wrote to memory of 3684	2548	B820A2.EXE	107
PID 3684 wrote to memory of 3176	3684	B820A2.EXE	136
PID 3684 wrote to memory of 3176	3684	B820A2.EXE	136
PID 3684 wrote to memory of 3176	3684	B820A2.EXE	136
PID 3684 wrote to memory of 4984	3684	B820A2.EXE	110
PID 3684 wrote to memory of 4984	3684	B820A2.EXE	110
PID 3684 wrote to memory of 4984	3684	B820A2.EXE	110
PID 4984 wrote to memory of 3124	4984	B820A2.EXE	112
PID 4984 wrote to memory of 3124	4984	B820A2.EXE	112
PID 4984 wrote to memory of 3124	4984	B820A2.EXE	112
PID 4984 wrote to memory of 4140	4984	B820A2.EXE	113
PID 4984 wrote to memory of 4140	4984	B820A2.EXE	113
PID 4984 wrote to memory of 4140	4984	B820A2.EXE	113
PID 4140 wrote to memory of 2244	4140	B820A2.EXE	115
PID 4140 wrote to memory of 2244	4140	B820A2.EXE	115
PID 4140 wrote to memory of 2244	4140	B820A2.EXE	115
PID 4140 wrote to memory of 1340	4140	B820A2.EXE	116

C:\Users\Admin\AppData\Local\Temp\a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe
"C:\Users\Admin\AppData\Local\Temp\a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a
  2⤵
  PID:3684
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B3A6A3\B820A2
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
    C:\Windows\system32\B3A6A3\B820A2.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B3A6A3\B820A2
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
      C:\Windows\system32\B3A6A3\B820A2.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        5⤵
        
        PID:4504
    - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        6⤵
        
        PID:3628
      - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        7⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        8⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        9⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        10⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        11⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        12⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        13⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        14⤵
        
        PID:220
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        15⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        16⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        17⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        18⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        18⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        19⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        19⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        20⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        20⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        21⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        21⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        22⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        22⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        23⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        23⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        25⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        25⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        26⤵
        
        PID:856
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        26⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        27⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        27⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        28⤵
        
        PID:388
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        28⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        29⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        29⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:5132

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4304

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:452

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
PID:1012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1240

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:644

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1144

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
PID:4336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2952

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4376

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1152

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1116

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4580

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2120

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2528

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:5144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
477da059dc1c0970d3dd622d20f59724

SHA1
0b0ae82c26d6ebfdc6d47e98ce8a8d90352daeb5

SHA256
855c0498f51eae2607fbb79483ff91c62bdcdb9b2420c10450ef1bbf81a54b0e

SHA512
bc3179d12161017225943ee04353defcc9436119efe59a02d39ba45ee4b90531804d17bc516072bbaf9704af9632446dc52732d05c79cf5806c61b0ee8609449

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
477da059dc1c0970d3dd622d20f59724

SHA1
0b0ae82c26d6ebfdc6d47e98ce8a8d90352daeb5

SHA256
855c0498f51eae2607fbb79483ff91c62bdcdb9b2420c10450ef1bbf81a54b0e

SHA512
bc3179d12161017225943ee04353defcc9436119efe59a02d39ba45ee4b90531804d17bc516072bbaf9704af9632446dc52732d05c79cf5806c61b0ee8609449

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
477da059dc1c0970d3dd622d20f59724

SHA1
0b0ae82c26d6ebfdc6d47e98ce8a8d90352daeb5

SHA256
855c0498f51eae2607fbb79483ff91c62bdcdb9b2420c10450ef1bbf81a54b0e

SHA512
bc3179d12161017225943ee04353defcc9436119efe59a02d39ba45ee4b90531804d17bc516072bbaf9704af9632446dc52732d05c79cf5806c61b0ee8609449

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
477da059dc1c0970d3dd622d20f59724

SHA1
0b0ae82c26d6ebfdc6d47e98ce8a8d90352daeb5

SHA256
855c0498f51eae2607fbb79483ff91c62bdcdb9b2420c10450ef1bbf81a54b0e

SHA512
bc3179d12161017225943ee04353defcc9436119efe59a02d39ba45ee4b90531804d17bc516072bbaf9704af9632446dc52732d05c79cf5806c61b0ee8609449

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
477da059dc1c0970d3dd622d20f59724

SHA1
0b0ae82c26d6ebfdc6d47e98ce8a8d90352daeb5

SHA256
855c0498f51eae2607fbb79483ff91c62bdcdb9b2420c10450ef1bbf81a54b0e

SHA512
bc3179d12161017225943ee04353defcc9436119efe59a02d39ba45ee4b90531804d17bc516072bbaf9704af9632446dc52732d05c79cf5806c61b0ee8609449

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
477da059dc1c0970d3dd622d20f59724

SHA1
0b0ae82c26d6ebfdc6d47e98ce8a8d90352daeb5

SHA256
855c0498f51eae2607fbb79483ff91c62bdcdb9b2420c10450ef1bbf81a54b0e

SHA512
bc3179d12161017225943ee04353defcc9436119efe59a02d39ba45ee4b90531804d17bc516072bbaf9704af9632446dc52732d05c79cf5806c61b0ee8609449

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
477da059dc1c0970d3dd622d20f59724

SHA1
0b0ae82c26d6ebfdc6d47e98ce8a8d90352daeb5

SHA256
855c0498f51eae2607fbb79483ff91c62bdcdb9b2420c10450ef1bbf81a54b0e

SHA512
bc3179d12161017225943ee04353defcc9436119efe59a02d39ba45ee4b90531804d17bc516072bbaf9704af9632446dc52732d05c79cf5806c61b0ee8609449

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
477da059dc1c0970d3dd622d20f59724

SHA1
0b0ae82c26d6ebfdc6d47e98ce8a8d90352daeb5

SHA256
855c0498f51eae2607fbb79483ff91c62bdcdb9b2420c10450ef1bbf81a54b0e

SHA512
bc3179d12161017225943ee04353defcc9436119efe59a02d39ba45ee4b90531804d17bc516072bbaf9704af9632446dc52732d05c79cf5806c61b0ee8609449

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
477da059dc1c0970d3dd622d20f59724

SHA1
0b0ae82c26d6ebfdc6d47e98ce8a8d90352daeb5

SHA256
855c0498f51eae2607fbb79483ff91c62bdcdb9b2420c10450ef1bbf81a54b0e

SHA512
bc3179d12161017225943ee04353defcc9436119efe59a02d39ba45ee4b90531804d17bc516072bbaf9704af9632446dc52732d05c79cf5806c61b0ee8609449

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
477da059dc1c0970d3dd622d20f59724

SHA1
0b0ae82c26d6ebfdc6d47e98ce8a8d90352daeb5

SHA256
855c0498f51eae2607fbb79483ff91c62bdcdb9b2420c10450ef1bbf81a54b0e

SHA512
bc3179d12161017225943ee04353defcc9436119efe59a02d39ba45ee4b90531804d17bc516072bbaf9704af9632446dc52732d05c79cf5806c61b0ee8609449

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
477da059dc1c0970d3dd622d20f59724

SHA1
0b0ae82c26d6ebfdc6d47e98ce8a8d90352daeb5

SHA256
855c0498f51eae2607fbb79483ff91c62bdcdb9b2420c10450ef1bbf81a54b0e

SHA512
bc3179d12161017225943ee04353defcc9436119efe59a02d39ba45ee4b90531804d17bc516072bbaf9704af9632446dc52732d05c79cf5806c61b0ee8609449

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
e721387aabd3c5d1a0905912b684468a

SHA1
01de73b202942dd06f1dabcb9f564ff96d3664f4

SHA256
f83b27715d820e1053e0564e092f3ff66b5a9fb6d6a129b256ee08b5423c23dd

SHA512
9022bb5f6897de4447e6924e4a98be44429282ae019ed5a8418bd61fc805c169a93cee8a67e1faf735d48fbde6674b571d50e225225891f74231cc65f11e1108

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
e721387aabd3c5d1a0905912b684468a

SHA1
01de73b202942dd06f1dabcb9f564ff96d3664f4

SHA256
f83b27715d820e1053e0564e092f3ff66b5a9fb6d6a129b256ee08b5423c23dd

SHA512
9022bb5f6897de4447e6924e4a98be44429282ae019ed5a8418bd61fc805c169a93cee8a67e1faf735d48fbde6674b571d50e225225891f74231cc65f11e1108

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
e721387aabd3c5d1a0905912b684468a

SHA1
01de73b202942dd06f1dabcb9f564ff96d3664f4

SHA256
f83b27715d820e1053e0564e092f3ff66b5a9fb6d6a129b256ee08b5423c23dd

SHA512
9022bb5f6897de4447e6924e4a98be44429282ae019ed5a8418bd61fc805c169a93cee8a67e1faf735d48fbde6674b571d50e225225891f74231cc65f11e1108

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
e721387aabd3c5d1a0905912b684468a

SHA1
01de73b202942dd06f1dabcb9f564ff96d3664f4

SHA256
f83b27715d820e1053e0564e092f3ff66b5a9fb6d6a129b256ee08b5423c23dd

SHA512
9022bb5f6897de4447e6924e4a98be44429282ae019ed5a8418bd61fc805c169a93cee8a67e1faf735d48fbde6674b571d50e225225891f74231cc65f11e1108

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
fd5a9bf8f371582532c1ce44c8a1b684

SHA1
9b553cde044b101de17c40ad055754889010551d

SHA256
86009c4897a3c682a637ebe95760d481ea7e8bc98e2e9516d633435db2df16db

SHA512
f3587e3446631a2b6fb4c3b25a4a7f1eb01362e7c20af74f4526d9361c1c19b1b2125c72b79327372af822ba9d8478159a5003ea4ae19804c743a1b0ce69e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
fd5a9bf8f371582532c1ce44c8a1b684

SHA1
9b553cde044b101de17c40ad055754889010551d

SHA256
86009c4897a3c682a637ebe95760d481ea7e8bc98e2e9516d633435db2df16db

SHA512
f3587e3446631a2b6fb4c3b25a4a7f1eb01362e7c20af74f4526d9361c1c19b1b2125c72b79327372af822ba9d8478159a5003ea4ae19804c743a1b0ce69e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
fd5a9bf8f371582532c1ce44c8a1b684

SHA1
9b553cde044b101de17c40ad055754889010551d

SHA256
86009c4897a3c682a637ebe95760d481ea7e8bc98e2e9516d633435db2df16db

SHA512
f3587e3446631a2b6fb4c3b25a4a7f1eb01362e7c20af74f4526d9361c1c19b1b2125c72b79327372af822ba9d8478159a5003ea4ae19804c743a1b0ce69e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
fd5a9bf8f371582532c1ce44c8a1b684

SHA1
9b553cde044b101de17c40ad055754889010551d

SHA256
86009c4897a3c682a637ebe95760d481ea7e8bc98e2e9516d633435db2df16db

SHA512
f3587e3446631a2b6fb4c3b25a4a7f1eb01362e7c20af74f4526d9361c1c19b1b2125c72b79327372af822ba9d8478159a5003ea4ae19804c743a1b0ce69e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
fd5a9bf8f371582532c1ce44c8a1b684

SHA1
9b553cde044b101de17c40ad055754889010551d

SHA256
86009c4897a3c682a637ebe95760d481ea7e8bc98e2e9516d633435db2df16db

SHA512
f3587e3446631a2b6fb4c3b25a4a7f1eb01362e7c20af74f4526d9361c1c19b1b2125c72b79327372af822ba9d8478159a5003ea4ae19804c743a1b0ce69e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
fd5a9bf8f371582532c1ce44c8a1b684

SHA1
9b553cde044b101de17c40ad055754889010551d

SHA256
86009c4897a3c682a637ebe95760d481ea7e8bc98e2e9516d633435db2df16db

SHA512
f3587e3446631a2b6fb4c3b25a4a7f1eb01362e7c20af74f4526d9361c1c19b1b2125c72b79327372af822ba9d8478159a5003ea4ae19804c743a1b0ce69e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
fd5a9bf8f371582532c1ce44c8a1b684

SHA1
9b553cde044b101de17c40ad055754889010551d

SHA256
86009c4897a3c682a637ebe95760d481ea7e8bc98e2e9516d633435db2df16db

SHA512
f3587e3446631a2b6fb4c3b25a4a7f1eb01362e7c20af74f4526d9361c1c19b1b2125c72b79327372af822ba9d8478159a5003ea4ae19804c743a1b0ce69e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
fd5a9bf8f371582532c1ce44c8a1b684

SHA1
9b553cde044b101de17c40ad055754889010551d

SHA256
86009c4897a3c682a637ebe95760d481ea7e8bc98e2e9516d633435db2df16db

SHA512
f3587e3446631a2b6fb4c3b25a4a7f1eb01362e7c20af74f4526d9361c1c19b1b2125c72b79327372af822ba9d8478159a5003ea4ae19804c743a1b0ce69e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
fd5a9bf8f371582532c1ce44c8a1b684

SHA1
9b553cde044b101de17c40ad055754889010551d

SHA256
86009c4897a3c682a637ebe95760d481ea7e8bc98e2e9516d633435db2df16db

SHA512
f3587e3446631a2b6fb4c3b25a4a7f1eb01362e7c20af74f4526d9361c1c19b1b2125c72b79327372af822ba9d8478159a5003ea4ae19804c743a1b0ce69e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
fd5a9bf8f371582532c1ce44c8a1b684

SHA1
9b553cde044b101de17c40ad055754889010551d

SHA256
86009c4897a3c682a637ebe95760d481ea7e8bc98e2e9516d633435db2df16db

SHA512
f3587e3446631a2b6fb4c3b25a4a7f1eb01362e7c20af74f4526d9361c1c19b1b2125c72b79327372af822ba9d8478159a5003ea4ae19804c743a1b0ce69e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
fd5a9bf8f371582532c1ce44c8a1b684

SHA1
9b553cde044b101de17c40ad055754889010551d

SHA256
86009c4897a3c682a637ebe95760d481ea7e8bc98e2e9516d633435db2df16db

SHA512
f3587e3446631a2b6fb4c3b25a4a7f1eb01362e7c20af74f4526d9361c1c19b1b2125c72b79327372af822ba9d8478159a5003ea4ae19804c743a1b0ce69e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
00dce5526087777f56811704f8560f0b

SHA1
4fdc18fb5640001beab7d47ecf5d6df4fb58a81a

SHA256
d2231c88bcdc954f6aba73df82764250d4b67cede538fca2cafbe4b0de3db23b

SHA512
38ec82d6584cc627e7657132ac7f2f527d874c8d5231b976490d80611b907dffa50fa3ba5f2d5c5eadaa25591246a48b84a8aa4a9740234cbe4df2aee2106533

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
00dce5526087777f56811704f8560f0b

SHA1
4fdc18fb5640001beab7d47ecf5d6df4fb58a81a

SHA256
d2231c88bcdc954f6aba73df82764250d4b67cede538fca2cafbe4b0de3db23b

SHA512
38ec82d6584cc627e7657132ac7f2f527d874c8d5231b976490d80611b907dffa50fa3ba5f2d5c5eadaa25591246a48b84a8aa4a9740234cbe4df2aee2106533

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
00dce5526087777f56811704f8560f0b

SHA1
4fdc18fb5640001beab7d47ecf5d6df4fb58a81a

SHA256
d2231c88bcdc954f6aba73df82764250d4b67cede538fca2cafbe4b0de3db23b

SHA512
38ec82d6584cc627e7657132ac7f2f527d874c8d5231b976490d80611b907dffa50fa3ba5f2d5c5eadaa25591246a48b84a8aa4a9740234cbe4df2aee2106533

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
00dce5526087777f56811704f8560f0b

SHA1
4fdc18fb5640001beab7d47ecf5d6df4fb58a81a

SHA256
d2231c88bcdc954f6aba73df82764250d4b67cede538fca2cafbe4b0de3db23b

SHA512
38ec82d6584cc627e7657132ac7f2f527d874c8d5231b976490d80611b907dffa50fa3ba5f2d5c5eadaa25591246a48b84a8aa4a9740234cbe4df2aee2106533

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
00dce5526087777f56811704f8560f0b

SHA1
4fdc18fb5640001beab7d47ecf5d6df4fb58a81a

SHA256
d2231c88bcdc954f6aba73df82764250d4b67cede538fca2cafbe4b0de3db23b

SHA512
38ec82d6584cc627e7657132ac7f2f527d874c8d5231b976490d80611b907dffa50fa3ba5f2d5c5eadaa25591246a48b84a8aa4a9740234cbe4df2aee2106533

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
39d63de4567c1073efba0b1ad44eaecd

SHA1
cdac72ea502ac9b181a973feec7411de479e1cef

SHA256
ae97e40beb828f517bf260dd1c2dfd3a0316cdff8d666838199d631a7d2d54ba

SHA512
0bfc0d3c3b523627a431df786c3a9e8e5172cdf475475f9ac9968b039cf08dc61fb4e1134e246b7083f580b51f806c8f739e025fd04362b6c8bd220797422b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
39d63de4567c1073efba0b1ad44eaecd

SHA1
cdac72ea502ac9b181a973feec7411de479e1cef

SHA256
ae97e40beb828f517bf260dd1c2dfd3a0316cdff8d666838199d631a7d2d54ba

SHA512
0bfc0d3c3b523627a431df786c3a9e8e5172cdf475475f9ac9968b039cf08dc61fb4e1134e246b7083f580b51f806c8f739e025fd04362b6c8bd220797422b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
39d63de4567c1073efba0b1ad44eaecd

SHA1
cdac72ea502ac9b181a973feec7411de479e1cef

SHA256
ae97e40beb828f517bf260dd1c2dfd3a0316cdff8d666838199d631a7d2d54ba

SHA512
0bfc0d3c3b523627a431df786c3a9e8e5172cdf475475f9ac9968b039cf08dc61fb4e1134e246b7083f580b51f806c8f739e025fd04362b6c8bd220797422b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
39d63de4567c1073efba0b1ad44eaecd

SHA1
cdac72ea502ac9b181a973feec7411de479e1cef

SHA256
ae97e40beb828f517bf260dd1c2dfd3a0316cdff8d666838199d631a7d2d54ba

SHA512
0bfc0d3c3b523627a431df786c3a9e8e5172cdf475475f9ac9968b039cf08dc61fb4e1134e246b7083f580b51f806c8f739e025fd04362b6c8bd220797422b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
39d63de4567c1073efba0b1ad44eaecd

SHA1
cdac72ea502ac9b181a973feec7411de479e1cef

SHA256
ae97e40beb828f517bf260dd1c2dfd3a0316cdff8d666838199d631a7d2d54ba

SHA512
0bfc0d3c3b523627a431df786c3a9e8e5172cdf475475f9ac9968b039cf08dc61fb4e1134e246b7083f580b51f806c8f739e025fd04362b6c8bd220797422b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
6734469f097b651fc6cbc2013fabcfe6

SHA1
4b4300f05a1ce25775df1f7aab191ee32af2ade0

SHA256
5731d90b96e8dbaf6ebaafd0c35bb1d390831bdf6c50ddf2f627af9680b2e155

SHA512
cb194464a2e22cbdf4676ef728ed03566ce7a25d36324e11b6422fba69f306889041b00575d5f229de784049cdab8492e8f0d3ae3e5c86d09947768ab0f11701

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
6734469f097b651fc6cbc2013fabcfe6

SHA1
4b4300f05a1ce25775df1f7aab191ee32af2ade0

SHA256
5731d90b96e8dbaf6ebaafd0c35bb1d390831bdf6c50ddf2f627af9680b2e155

SHA512
cb194464a2e22cbdf4676ef728ed03566ce7a25d36324e11b6422fba69f306889041b00575d5f229de784049cdab8492e8f0d3ae3e5c86d09947768ab0f11701

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
6734469f097b651fc6cbc2013fabcfe6

SHA1
4b4300f05a1ce25775df1f7aab191ee32af2ade0

SHA256
5731d90b96e8dbaf6ebaafd0c35bb1d390831bdf6c50ddf2f627af9680b2e155

SHA512
cb194464a2e22cbdf4676ef728ed03566ce7a25d36324e11b6422fba69f306889041b00575d5f229de784049cdab8492e8f0d3ae3e5c86d09947768ab0f11701

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
6734469f097b651fc6cbc2013fabcfe6

SHA1
4b4300f05a1ce25775df1f7aab191ee32af2ade0

SHA256
5731d90b96e8dbaf6ebaafd0c35bb1d390831bdf6c50ddf2f627af9680b2e155

SHA512
cb194464a2e22cbdf4676ef728ed03566ce7a25d36324e11b6422fba69f306889041b00575d5f229de784049cdab8492e8f0d3ae3e5c86d09947768ab0f11701

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
6734469f097b651fc6cbc2013fabcfe6

SHA1
4b4300f05a1ce25775df1f7aab191ee32af2ade0

SHA256
5731d90b96e8dbaf6ebaafd0c35bb1d390831bdf6c50ddf2f627af9680b2e155

SHA512
cb194464a2e22cbdf4676ef728ed03566ce7a25d36324e11b6422fba69f306889041b00575d5f229de784049cdab8492e8f0d3ae3e5c86d09947768ab0f11701

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
6734469f097b651fc6cbc2013fabcfe6

SHA1
4b4300f05a1ce25775df1f7aab191ee32af2ade0

SHA256
5731d90b96e8dbaf6ebaafd0c35bb1d390831bdf6c50ddf2f627af9680b2e155

SHA512
cb194464a2e22cbdf4676ef728ed03566ce7a25d36324e11b6422fba69f306889041b00575d5f229de784049cdab8492e8f0d3ae3e5c86d09947768ab0f11701

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d952dc1aa6c46267c1ceb9235859d503

SHA1
6c419b810b81efc2c103c689fe077fa00d7700c4

SHA256
7022bbed4f43a4ae60faa7f06ba8689684edf31d9fb306d1a4871098c59610f8

SHA512
30d97b29bac42ff8a40fdea6289d222964783e58b065aa0d693e4d457f4df1c1ee4d5860a2499ffe0773abcee5915ee18cf5dd6503c403086fb966c558a9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d952dc1aa6c46267c1ceb9235859d503

SHA1
6c419b810b81efc2c103c689fe077fa00d7700c4

SHA256
7022bbed4f43a4ae60faa7f06ba8689684edf31d9fb306d1a4871098c59610f8

SHA512
30d97b29bac42ff8a40fdea6289d222964783e58b065aa0d693e4d457f4df1c1ee4d5860a2499ffe0773abcee5915ee18cf5dd6503c403086fb966c558a9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d952dc1aa6c46267c1ceb9235859d503

SHA1
6c419b810b81efc2c103c689fe077fa00d7700c4

SHA256
7022bbed4f43a4ae60faa7f06ba8689684edf31d9fb306d1a4871098c59610f8

SHA512
30d97b29bac42ff8a40fdea6289d222964783e58b065aa0d693e4d457f4df1c1ee4d5860a2499ffe0773abcee5915ee18cf5dd6503c403086fb966c558a9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d952dc1aa6c46267c1ceb9235859d503

SHA1
6c419b810b81efc2c103c689fe077fa00d7700c4

SHA256
7022bbed4f43a4ae60faa7f06ba8689684edf31d9fb306d1a4871098c59610f8

SHA512
30d97b29bac42ff8a40fdea6289d222964783e58b065aa0d693e4d457f4df1c1ee4d5860a2499ffe0773abcee5915ee18cf5dd6503c403086fb966c558a9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d952dc1aa6c46267c1ceb9235859d503

SHA1
6c419b810b81efc2c103c689fe077fa00d7700c4

SHA256
7022bbed4f43a4ae60faa7f06ba8689684edf31d9fb306d1a4871098c59610f8

SHA512
30d97b29bac42ff8a40fdea6289d222964783e58b065aa0d693e4d457f4df1c1ee4d5860a2499ffe0773abcee5915ee18cf5dd6503c403086fb966c558a9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d952dc1aa6c46267c1ceb9235859d503

SHA1
6c419b810b81efc2c103c689fe077fa00d7700c4

SHA256
7022bbed4f43a4ae60faa7f06ba8689684edf31d9fb306d1a4871098c59610f8

SHA512
30d97b29bac42ff8a40fdea6289d222964783e58b065aa0d693e4d457f4df1c1ee4d5860a2499ffe0773abcee5915ee18cf5dd6503c403086fb966c558a9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d952dc1aa6c46267c1ceb9235859d503

SHA1
6c419b810b81efc2c103c689fe077fa00d7700c4

SHA256
7022bbed4f43a4ae60faa7f06ba8689684edf31d9fb306d1a4871098c59610f8

SHA512
30d97b29bac42ff8a40fdea6289d222964783e58b065aa0d693e4d457f4df1c1ee4d5860a2499ffe0773abcee5915ee18cf5dd6503c403086fb966c558a9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d952dc1aa6c46267c1ceb9235859d503

SHA1
6c419b810b81efc2c103c689fe077fa00d7700c4

SHA256
7022bbed4f43a4ae60faa7f06ba8689684edf31d9fb306d1a4871098c59610f8

SHA512
30d97b29bac42ff8a40fdea6289d222964783e58b065aa0d693e4d457f4df1c1ee4d5860a2499ffe0773abcee5915ee18cf5dd6503c403086fb966c558a9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d952dc1aa6c46267c1ceb9235859d503

SHA1
6c419b810b81efc2c103c689fe077fa00d7700c4

SHA256
7022bbed4f43a4ae60faa7f06ba8689684edf31d9fb306d1a4871098c59610f8

SHA512
30d97b29bac42ff8a40fdea6289d222964783e58b065aa0d693e4d457f4df1c1ee4d5860a2499ffe0773abcee5915ee18cf5dd6503c403086fb966c558a9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d952dc1aa6c46267c1ceb9235859d503

SHA1
6c419b810b81efc2c103c689fe077fa00d7700c4

SHA256
7022bbed4f43a4ae60faa7f06ba8689684edf31d9fb306d1a4871098c59610f8

SHA512
30d97b29bac42ff8a40fdea6289d222964783e58b065aa0d693e4d457f4df1c1ee4d5860a2499ffe0773abcee5915ee18cf5dd6503c403086fb966c558a9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d952dc1aa6c46267c1ceb9235859d503

SHA1
6c419b810b81efc2c103c689fe077fa00d7700c4

SHA256
7022bbed4f43a4ae60faa7f06ba8689684edf31d9fb306d1a4871098c59610f8

SHA512
30d97b29bac42ff8a40fdea6289d222964783e58b065aa0d693e4d457f4df1c1ee4d5860a2499ffe0773abcee5915ee18cf5dd6503c403086fb966c558a9d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
fff84d313afc48c172045a9d3132563b

SHA1
9e58af1af78b38f3f9ebca4e66a7fcac83130c69

SHA256
0692bde3a5a97a8f1dd89d24c3747d4a156d3f27fca1ff174edb26e206d6fe69

SHA512
eb95fda88a208093ca72bfcc43297b8fd1db743710a3a1f26539540cc5caaa77a5d6ab1c7a61d71ccb5b7eae8c254d6e47e67842ad33bb847307bdaf442b297c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
fff84d313afc48c172045a9d3132563b

SHA1
9e58af1af78b38f3f9ebca4e66a7fcac83130c69

SHA256
0692bde3a5a97a8f1dd89d24c3747d4a156d3f27fca1ff174edb26e206d6fe69

SHA512
eb95fda88a208093ca72bfcc43297b8fd1db743710a3a1f26539540cc5caaa77a5d6ab1c7a61d71ccb5b7eae8c254d6e47e67842ad33bb847307bdaf442b297c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
fff84d313afc48c172045a9d3132563b

SHA1
9e58af1af78b38f3f9ebca4e66a7fcac83130c69

SHA256
0692bde3a5a97a8f1dd89d24c3747d4a156d3f27fca1ff174edb26e206d6fe69

SHA512
eb95fda88a208093ca72bfcc43297b8fd1db743710a3a1f26539540cc5caaa77a5d6ab1c7a61d71ccb5b7eae8c254d6e47e67842ad33bb847307bdaf442b297c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
fff84d313afc48c172045a9d3132563b

SHA1
9e58af1af78b38f3f9ebca4e66a7fcac83130c69

SHA256
0692bde3a5a97a8f1dd89d24c3747d4a156d3f27fca1ff174edb26e206d6fe69

SHA512
eb95fda88a208093ca72bfcc43297b8fd1db743710a3a1f26539540cc5caaa77a5d6ab1c7a61d71ccb5b7eae8c254d6e47e67842ad33bb847307bdaf442b297c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
fff84d313afc48c172045a9d3132563b

SHA1
9e58af1af78b38f3f9ebca4e66a7fcac83130c69

SHA256
0692bde3a5a97a8f1dd89d24c3747d4a156d3f27fca1ff174edb26e206d6fe69

SHA512
eb95fda88a208093ca72bfcc43297b8fd1db743710a3a1f26539540cc5caaa77a5d6ab1c7a61d71ccb5b7eae8c254d6e47e67842ad33bb847307bdaf442b297c

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1.4MB

MD5
26578becc2ec7383cd479e255bf77c75

SHA1
a30ea96ce7c2b66b9b68a087a36b3bb064f72263

SHA256
a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a

SHA512
9f201cdb3dbe8d7433280dcc1e3f39bbbd82d12df847ace035716136e5955f668c2eca980c1758755740d78229646683fab4b2f6269660e1cb16bce4d71de7dd

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1.4MB

MD5
26578becc2ec7383cd479e255bf77c75

SHA1
a30ea96ce7c2b66b9b68a087a36b3bb064f72263

SHA256
a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a

SHA512
9f201cdb3dbe8d7433280dcc1e3f39bbbd82d12df847ace035716136e5955f668c2eca980c1758755740d78229646683fab4b2f6269660e1cb16bce4d71de7dd

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1.4MB

MD5
26578becc2ec7383cd479e255bf77c75

SHA1
a30ea96ce7c2b66b9b68a087a36b3bb064f72263

SHA256
a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a

SHA512
9f201cdb3dbe8d7433280dcc1e3f39bbbd82d12df847ace035716136e5955f668c2eca980c1758755740d78229646683fab4b2f6269660e1cb16bce4d71de7dd

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1.4MB

MD5
26578becc2ec7383cd479e255bf77c75

SHA1
a30ea96ce7c2b66b9b68a087a36b3bb064f72263

SHA256
a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a

SHA512
9f201cdb3dbe8d7433280dcc1e3f39bbbd82d12df847ace035716136e5955f668c2eca980c1758755740d78229646683fab4b2f6269660e1cb16bce4d71de7dd

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1.4MB

MD5
26578becc2ec7383cd479e255bf77c75

SHA1
a30ea96ce7c2b66b9b68a087a36b3bb064f72263

SHA256
a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a

SHA512
9f201cdb3dbe8d7433280dcc1e3f39bbbd82d12df847ace035716136e5955f668c2eca980c1758755740d78229646683fab4b2f6269660e1cb16bce4d71de7dd

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1.4MB

MD5
26578becc2ec7383cd479e255bf77c75

SHA1
a30ea96ce7c2b66b9b68a087a36b3bb064f72263

SHA256
a487105f32b249faeef75b671cabf28dc46197974ef2317c7d83f317f21d858a

SHA512
9f201cdb3dbe8d7433280dcc1e3f39bbbd82d12df847ace035716136e5955f668c2eca980c1758755740d78229646683fab4b2f6269660e1cb16bce4d71de7dd

Download Submit
memory/216-387-0x0000000000000000-mapping.dmp

Download
memory/220-288-0x0000000000000000-mapping.dmp

Download
memory/388-411-0x0000000000000000-mapping.dmp

Download
memory/616-366-0x0000000000000000-mapping.dmp

Download
memory/856-391-0x0000000000000000-mapping.dmp

Download
memory/1116-323-0x0000000000000000-mapping.dmp

Download
memory/1340-283-0x0000000002290000-0x00000000022C8000-memory.dmp

Filesize
224KB

Download
memory/1340-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-282-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1340-278-0x0000000000000000-mapping.dmp

Download
memory/1380-380-0x0000000000000000-mapping.dmp

Download
memory/1532-163-0x0000000000000000-mapping.dmp

Download
memory/1580-306-0x0000000000000000-mapping.dmp

Download
memory/1584-413-0x0000000000000000-mapping.dmp

Download
memory/1644-364-0x0000000000000000-mapping.dmp

Download
memory/1668-221-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1668-167-0x0000000000000000-mapping.dmp

Download
memory/1668-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1668-202-0x0000000002380000-0x0000000002391000-memory.dmp

Filesize
68KB

Download
memory/1668-201-0x00000000022F0000-0x0000000002328000-memory.dmp

Filesize
224KB

Download
memory/1668-198-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1668-203-0x0000000002400000-0x000000000241E000-memory.dmp

Filesize
120KB

Download
memory/1724-348-0x0000000000000000-mapping.dmp

Download
memory/1844-243-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1844-242-0x0000000000000000-mapping.dmp

Download
memory/1844-248-0x0000000002570000-0x0000000002581000-memory.dmp

Filesize
68KB

Download
memory/1844-245-0x00000000024A0000-0x00000000024D8000-memory.dmp

Filesize
224KB

Download
memory/1844-325-0x0000000000000000-mapping.dmp

Download
memory/1844-244-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1844-249-0x00000000025E0000-0x00000000025FE000-memory.dmp

Filesize
120KB

Download
memory/1844-260-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1852-279-0x0000000000000000-mapping.dmp

Download
memory/1924-374-0x0000000000000000-mapping.dmp

Download
memory/2004-226-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2004-207-0x00000000022F0000-0x0000000002301000-memory.dmp

Filesize
68KB

Download
memory/2004-209-0x0000000002450000-0x000000000246E000-memory.dmp

Filesize
120KB

Download
memory/2004-206-0x0000000002230000-0x0000000002268000-memory.dmp

Filesize
224KB

Download
memory/2004-205-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2004-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2004-183-0x0000000000000000-mapping.dmp

Download
memory/2008-414-0x0000000000000000-mapping.dmp

Download
memory/2016-328-0x0000000000000000-mapping.dmp

Download
memory/2016-373-0x0000000000000000-mapping.dmp

Download
memory/2176-241-0x0000000000000000-mapping.dmp

Download
memory/2200-406-0x0000000000000000-mapping.dmp

Download
memory/2244-276-0x0000000000000000-mapping.dmp

Download
memory/2328-405-0x0000000000000000-mapping.dmp

Download
memory/2548-269-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2548-256-0x00000000021E0000-0x00000000021F1000-memory.dmp

Filesize
68KB

Download
memory/2548-258-0x0000000002530000-0x000000000254E000-memory.dmp

Filesize
120KB

Download
memory/2548-255-0x0000000000770000-0x00000000007A8000-memory.dmp

Filesize
224KB

Download
memory/2548-254-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2548-253-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-252-0x0000000000000000-mapping.dmp

Download
memory/2556-293-0x0000000000000000-mapping.dmp

Download
memory/3068-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-142-0x0000000002470000-0x00000000024A8000-memory.dmp

Filesize
224KB

Download
memory/3068-143-0x0000000002510000-0x0000000002521000-memory.dmp

Filesize
68KB

Download
memory/3068-144-0x0000000002670000-0x000000000268E000-memory.dmp

Filesize
120KB

Download
memory/3068-200-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3068-134-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3124-271-0x0000000000000000-mapping.dmp

Download
memory/3176-327-0x0000000000000000-mapping.dmp

Download
memory/3176-261-0x0000000000000000-mapping.dmp

Download
memory/3556-182-0x0000000000000000-mapping.dmp

Download
memory/3628-230-0x0000000000000000-mapping.dmp

Download
memory/3684-265-0x0000000002420000-0x000000000243E000-memory.dmp

Filesize
120KB

Download
memory/3684-264-0x0000000002360000-0x0000000002371000-memory.dmp

Filesize
68KB

Download
memory/3684-263-0x00000000020B0000-0x00000000020E8000-memory.dmp

Filesize
224KB

Download
memory/3684-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3684-141-0x0000000000000000-mapping.dmp

Download
memory/3684-259-0x0000000000000000-mapping.dmp

Download
memory/3684-277-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3684-262-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3728-392-0x0000000000000000-mapping.dmp

Download
memory/3780-333-0x0000000000000000-mapping.dmp

Download
memory/3844-169-0x00000000026B0000-0x00000000026CE000-memory.dmp

Filesize
120KB

Download
memory/3844-166-0x0000000002120000-0x0000000002158000-memory.dmp

Filesize
224KB

Download
memory/3844-165-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3844-168-0x0000000002200000-0x0000000002211000-memory.dmp

Filesize
68KB

Download
memory/3844-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3844-216-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3844-145-0x0000000000000000-mapping.dmp

Download
memory/3868-299-0x0000000000000000-mapping.dmp

Download
memory/4140-275-0x0000000000000000-mapping.dmp

Download
memory/4240-257-0x0000000000000000-mapping.dmp

Download
memory/4328-302-0x0000000000000000-mapping.dmp

Download
memory/4408-304-0x0000000000000000-mapping.dmp

Download
memory/4504-196-0x0000000000000000-mapping.dmp

Download
memory/4556-314-0x0000000000000000-mapping.dmp

Download
memory/4580-338-0x0000000000000000-mapping.dmp

Download
memory/4716-301-0x0000000000000000-mapping.dmp

Download
memory/4724-347-0x0000000000000000-mapping.dmp

Download
memory/4820-371-0x0000000000000000-mapping.dmp

Download
memory/4876-240-0x0000000002450000-0x000000000246E000-memory.dmp

Filesize
120KB

Download
memory/4876-247-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4876-246-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-231-0x0000000000000000-mapping.dmp

Download
memory/4876-237-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4876-238-0x00000000005F0000-0x0000000000628000-memory.dmp

Filesize
224KB

Download
memory/4876-239-0x0000000002430000-0x0000000002441000-memory.dmp

Filesize
68KB

Download
memory/4896-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-223-0x0000000000660000-0x0000000000671000-memory.dmp

Filesize
68KB

Download
memory/4896-222-0x0000000002220000-0x0000000002258000-memory.dmp

Filesize
224KB

Download
memory/4896-250-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4896-208-0x0000000000000000-mapping.dmp

Download
memory/4896-225-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4896-229-0x0000000002260000-0x000000000227E000-memory.dmp

Filesize
120KB

Download
memory/4968-251-0x0000000000000000-mapping.dmp

Download
memory/4972-372-0x0000000000000000-mapping.dmp

Download
memory/4984-272-0x0000000000550000-0x0000000000588000-memory.dmp

Filesize
224KB

Download
memory/4984-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4984-274-0x0000000002410000-0x000000000242E000-memory.dmp

Filesize
120KB

Download
memory/4984-273-0x0000000002350000-0x0000000002361000-memory.dmp

Filesize
68KB

Download
memory/4984-270-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4984-267-0x0000000000000000-mapping.dmp

Download
memory/5016-280-0x0000000000000000-mapping.dmp

Download
memory/5132-415-0x0000000000000000-mapping.dmp

Download