7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0

Analysis

max time kernel
427s
max time network
424s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2023, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IsaacWiper.dll
Size

219KB
MD5

6c10466ad7c153e7f949fa3c6600b6ac
SHA1

5d009f79383a81622eefd8b183efb23fbf96a62f
SHA256

7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0
SHA512

54a7565a2ce2030b4b865835e13e2de6b7b5bb8f171e7d9db28c3fd1de8d98b7072f50effeb5d15a6ca66a2ff309cbe9b7732154f4a2855ad20c79803f0df33e
SSDEEP

6144:pjU6yx1p7lvER8SPD/xzL0ruSSbAOfyVM:Ju1pZvPuDF0ruSSbkVM

Score

8^/10

bootkit persistence ransomware spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\TmfB495.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\TmfB495.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\TmfC435.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\TmfC435.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\TmfB476.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\TmfC435.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\TmfB476.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\TmfC435.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\TmfB476.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\TmfC435.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\TmfC435.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\TmfB476.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\TmfB476.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\TmfC435.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\TmfB476.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	rundll32.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\MergeDisable.tiff	rundll32.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	rundll32.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	rundll32.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	rundll32.exe
File opened for modification	C:\Program Files\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rundll32.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	rundll32.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	rundll32.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	rundll32.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	rundll32.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	rundll32.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	rundll32.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	rundll32.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Public\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	rundll32.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	rundll32.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	rundll32.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf	rundll32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0111~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DataCenterBridging-Opt-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\D3D12Core.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\TmfC704.tmp	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\IntelWifiIhv06.dll	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\nvraid.inf_loc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\UserDeviceRegistration.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\KBDUSR.DLL	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\netttcim_uninstall.mfl	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\NETwtw04.inf_loc	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\megasas35i.inf_loc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Startupscan.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\syncutil.dll	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~en-US~10.0.19041.1266.cat	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\acpitime.inf_loc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\MSAC3ENC.DLL	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-3-ul-phn-rtm.xrm-ms	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ja-JP\MSFT_RoleResourceStrings.psd1	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wfcvsc.inf_loc	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_43b149b35876b241\TmfB66A.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\more.com	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\wininit.mfl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\vsswmi.dll.mui	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_smartcardreader.inf_amd64_33a0db63c0afb351\c_smartcardreader.inf	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\hgcpl.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\jscript9.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\syssetup.dll	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Dism\it-IT\UnattendProvider.dll.mui	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\mrvlpcie8897.inf_loc	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\basicrender.inf_amd64_df49c4daa6251397\BasicRender.sys	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\rasgcw.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\TmfBB5C.tmp	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TabShellExperience-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\en-US\MSFT_FileDirectoryConfiguration.Schema.mfl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\rpcnsh.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\es-MX\comctl32.dll.mui	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\wvmgid.inf_loc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\cliegaliases.mfl	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSMQ-MMC-OptGroup-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Com\en-US\comrepl.exe.mui	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\NETwtw04.inf_loc	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\basicdisplay.inf_loc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\netshell.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es\TmfBDDC.tmp	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\AMDSBS.inf_loc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\tasklist.exe.mui	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Host-Guardian-Deployment-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\PresentationHostProxy.dll	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package04~31bf3856ad364e35~amd64~~10.0.19041.1151.cat	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RDC-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\en-US\rastlsext.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\windows.storage.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\en-US\TmfBFD0.tmp	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\edputil.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\en-US\tapisrv.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\NapiNSP.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ro-RO\comctl32.dll.mui	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-125.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\hxoutlookintl.dll	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-200.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40_altform-lightunplated.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-white_scale-100.png	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7739_36x36x32.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\Tmf7FA0.tmp	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-GB.mail.config	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Tmf8935.tmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pl_135x40.svg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-16_altform-unplated.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-200.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-200_contrast-black.png	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Tmf762A.tmp	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerMedTile.contrast-black_scale-200.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-80.png	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.scale-125.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\ui-strings.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.INF	rundll32.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-32_altform-unplated.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100_contrast-white.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pl.pak.DATA	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxManifest.xml	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-80.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-150.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-400.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotBe.snippets.ps1xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\trusted.libraries	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrw.dll	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg	rundll32.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\PSGet.Resource.psd1	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated_contrast-white.png	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Marble.dxt	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-400.png	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\Tmf8760.tmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.171.37\msedgeupdateres_gl.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\TmfD570.tmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	rundll32.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-lpkinstall_31bf3856ad364e35_10.0.19041.746_none_e72c4ffca9db7315.manifest	rundll32.exe
File opened for modification	C:\Windows\Resources\Themes\aero\fr-FR\aerolite.msstyles.mui	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..xthandler.resources_31bf3856ad364e35_10.0.19041.1_es-es_9790c215392e51e3\BWContextHandler.dll.mui	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_a556313cd729d07d\r\Tmf1766.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.19041.488_none_96f4e9b1e7889a13\Tmf5F9B.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-presentationnative_b03f5f7f11d50a3a_4.0.15805.0_none_f0d715df562ed74e\Tmf77D6.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_wdmvsc.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_d215b38a0ba5d9f4\dmvsc.sys.mui	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-errorreportingkernel_31bf3856ad364e35_10.0.19041.1_none_04dc677714cccaca_werkernel.sys_bd06c194	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..registrar.resources_31bf3856ad364e35_10.0.19041.1_it-it_5f1392e21334e47a.manifest	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Concurrent\v4.0_4.0.0.0__b03f5f7f11d50a3a\Tmf8911.tmp	rundll32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\App.xbf	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-c..shandlers.resources_31bf3856ad364e35_10.0.19041.1_es-es_6d6f37f3cf287fa0\TmfE73E.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.1_none_501fda1ac26a3cf4\dismiss.contrast-black.png	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-appwiz.resources_31bf3856ad364e35_10.0.19041.1_en-us_e67dc346ae04e301.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_wizard_res_b03f5f7f11d50a3a_4.0.15805.0_none_22b85720c37c52fb\Tmf512.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.264_none_c2ff528ca8752daf\Amd64\PSCRIPT5.DLL	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-threadpool-winrt_31bf3856ad364e35_10.0.19041.746_none_6c310bbdc08782f6\Tmf6A49.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-ctrlaltdel-adm_31bf3856ad364e35_10.0.19041.1_none_8e11ca61732ba081.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_5b834788c0d17953\f\TmfC2C9.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_rdcameradriver.inf_31bf3856ad364e35_10.0.19041.746_none_25214790308f8b98\r\RDCameraDriver.inf	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..tkeyboard.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_409d41fdd879f332\tabskb.dll.mui	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-speechengine_31bf3856ad364e35_10.0.19041.1_none_af03d50c6da08946.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.1_none_d1fafd8eeb2a2637\Speech On.wav	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-xbox-gipmanagement-component_31bf3856ad364e35_10.0.19041.1_none_98dd0a9878d62c7c\Tmf747A.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_microsoft.data.entity.build.tasks.resources_v4.0_4.0.0.0_fr_b03f5_f1c304ff3b3e2f54.cdf-ms	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_ndisvirtualbus.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_6a9cae65f4bf1578.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingDeletes\bad13e2c36e5d7013c7300001815341f.TSFairShare.sys	rundll32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-fdpnp_31bf3856ad364e35_10.0.19041.746_none_421e65afc30b0910\TmfC078.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-virtualdiskapilibrary_31bf3856ad364e35_10.0.19041.1266_none_6c7d1e21f203fb8f\f\TmfFEC9.tmp	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\Tmf8C6C.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dedup-common.resources_31bf3856ad364e35_10.0.19041.1_it-it_65b4f329a239527b\ddp.mfl	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\0cc07df102805db96262e808c800dd34c8398718bc1c37b0dc1fe16da402db38.cat	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_fdwnet_31bf3856ad364e35_10.0.19041.1_none_f119baa9136f415e.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..emassessmenttoolapi_31bf3856ad364e35_10.0.19041.207_none_c1c3e3625648605b.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..ation-net.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f5f42b0b4ca6971e.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_10.0.19041.1_en-us_2718b9a8638c8d41\TmfC6A2.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_mdmhayes.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8b98a1378de31644\TmfCFFD.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-settingsynccore_31bf3856ad364e35_10.0.19041.264_none_5754081f862908dc\SettingSyncCore.dll	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.1_none_4fb50fb329007a5d\Snipping Tool.lnk	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_10.0.19041.546_none_bad936652ad03072\winsta.dll	rundll32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.19041.1288_none_4c54bd1d56ecfd46\TmfFE7B.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-ie-f12platform2_31bf3856ad364e35_11.0.19041.1_none_557ff1f52ac82751\F12Platform2.dll	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..itycenter.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cc214dc399dc7e0b.manifest	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Drawing.Resources.dll	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\r\Tmf6845.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.reflection.extensions_v4.0_4.0.0.0_b03f5f7f11d50a3a_19870563673ce662.cdf-ms	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_c_printer.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_97be91b029c2a806.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_hyperv-networking-v..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_de-de_78365c054d950012.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-azman.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6a296a8ffcbb801a.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-dims-autoenroll_31bf3856ad364e35_10.0.19041.1_none_aa00c442da33b8e2.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx-peverify_dll_b03f5f7f11d50a3a_10.0.19041.1_none_5d7f160fdad6fe5e\peverify.dll	rundll32.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-WithGraphics-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.mum	rundll32.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-m..-components-jetrepl_31bf3856ad364e35_10.0.19041.1_none_5d4257f18f6f47d7\msrepl40.dll	rundll32.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-photoacquire_31bf3856ad364e35_10.0.19041.746_none_b61113dfb33429a3\Tmf3AB.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_bg-bg_ba921840a92e8615\Tmf457.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_athw8x.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_bb5cff1a3ca64358\TmfC966.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..collector.resources_31bf3856ad364e35_10.0.19041.1_de-de_c1f7d17bd67d9b94\TmfFF2B.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_10.0.19041.1_it-it_b1e93b97f39c4d00\resource.xml	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-mmres.resources_31bf3856ad364e35_10.0.19041.1_de-de_05299b19b52273f9.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..ty-client.resources_31bf3856ad364e35_10.0.19041.1_de-de_23819efa840f824e.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\r\TmfFDCF.tmp	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.19041.1_none_bcf22701031bcbf3.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..ces-appserver-setup_31bf3856ad364e35_10.0.19041.1_none_7f86f2692a366cd8.manifest	rundll32.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..provider-deployment_31bf3856ad364e35_10.0.19041.906_none_b65fe09fc4a6d282.manifest	rundll32.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1808	2644	WerFault.exe	54
1116	3428	WerFault.exe	55
1376	1112	WerFault.exe	66

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!mi = f401000040010000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8c000000000000002000000e70701004100720067006a00620065007800200032000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001e00000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000fa3d6bbfc120d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e70701004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001f00000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000815f48bec120d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e6070b00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000000000000000000000000000000000000000000000000000000d688cbbcd2f5d80100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4246620582-653642754-1174164128-1000\{986CE781-937D-45C1-BBDD-CFF8F63F005A}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001002000000014000000494c2006200024003c0010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004002000001002000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf3030303000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040404040a0a0a0a0f0f0f0f0ffffffff9f9f9f9f0000000090909090ffffffffffffffffffffffff9090909000000000000000000000000010101010b0b0b0b0f0f0f0f0b8b8b8b8f3f3f3f32f2f2f2f0303030390909090f0f0f0f07070707030303030a6a6a6a6f9f9f9f9909090900000000010101010d0d0d0d0b0b0b0b01f1f1f1ff0f0f0f0404040400000000000000000ffffffff707070700000000060606060ffffffffa6a6a6a6ffffffff00000000b0b0b0b0b0b0b0b00000000060606060d0d0d0d0000000000000000000000000ffffffff3030303060606060ffffffff6060606040404040ffffffff40404040f0f0f0f01010101000000000a0a0a0a070707070000000000000000000000000ffffffff9c9c9c9cffffffff606060600000000070707070ffffffffb8b8b8b8fffffffffffffffffffffffffffffffffffffffffffffffffbfbfbfb0f0f0f0f90909090f9f9f9f9a6a6a6a64040404070707070f0f0f0f090909090e0e0e0e0303030300000000000000000ffffffff101010100000000000000000000000000000000090909090ffffffffffffffffffffffff9090909000000000ffffffff000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000009f9f9f9fffffffff000000000000000000000000ffffffff000000000000000000000000000000000000000000000000efefefef000000000000000000000000ffffffffe0e0e0e0303030300000000000000000ffffffff101010100000000000000000000000000000000010101010ffffffff000000000000000030303030e0e0e0e0b8b8b8b8ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffb8b8b8b840404040f0f0f0f01010101000000000a0a0a0a0707070700000000000000000000000000000000070707070a0a0a0a00000000010101010f0f0f0f04040404000000000b0b0b0b0b0b0b0b00000000060606060d0d0d0d000000000000000000000000000000000d0d0d0d06060606000000000b0b0b0b0b0b0b0b0000000000000000010101010d0d0d0d0b0b0b0b01f1f1f1ff0f0f0f040404040000000000000000040404040f0f0f0f01f1f1f1fb0b0b0b0d0d0d0d01010101000000000000000000000000010101010b0b0b0b0f0f0f0f0b8b8b8b8f3f3f3f33030303030303030f3f3f3f3b8b8b8b8f0f0f0f0b0b0b0b01010101000000000000000000000000000000000000000000000000040404040a0a0a0a0f0f0f0f0fffffffffffffffff0f0f0f0a0a0a0a040404040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060a0a0a0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060ffffffff60606060000000000000000030303030868686869999999999999999999999999999999999999999999999999999999999999999babababaffffffff60606060303030300a0a0a0a3c3c3c3c9e9e9e9e9999999999999999999999999999999999999999999999999999999999999999babababaffffffff606060603a3a3a3a999999996b6b6b6b464646467d7d7d7d8c8c8c8ca6a6a6a69999999999999999999999999999999999999999babababaffffffff606060603a3a3a3aa6a6a6a69b9b9b9b7d7d7d7d6666666666666666666666666c6c6c6c8c8c8c8c9b9b9b9b9b9b9b9b99999999babababaffffffff60606060404040409f9f9f9f8e8e8e8e808080808080808066666666666666666666666666666666666666666666666684848484b7b7b7b7ffffffff606060603030303097979797808080808080808080808080787878785a5a5a5a66666666666666666666666666666666666666669c9c9c9cffffffff606060602626262687878787808080808080808080808080808080802828282820202020666666666666666666666666666666669c9c9c9cffffffff606060601d1d1d1d4d4d4d4d535353536a6a6a6a6b6b6b6b40404040101010100000000000000000202020205a5a5a5a69696969a0a0a0a0ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d3a3a3a3a00000000000000000000000000000000000000000000000063636363ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d484848480e0e0e0e000000000000000000000000000000000000000060606060ffffffff606060600a0a0a0a4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d444444440e0e0e0e000000000000000000000000000000000000000000000000a0a0a0a06060606000000000000000000000000013131313131313130e0e0e0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056565678888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c33333348888888bf6f6f6f9b2b2b2b3c888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf6a6a6a953737374d888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf808080b4888888bf888888bf808080b30909090c6c6c6c97888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf787878a8111111186f6f6f9c888888bf888888bf5e5e5e831010101711111118888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c000000000909090c4d4d4d6c888888bf888888bf888888bf101010176363638b888888bf888888bf888888bf828282b65c5c5c81696969934545456000000000000000000000000011111118888888bf888888bf888888bf6f6f6f9b0808080b4242425d4f4f4f6e4c4c4c6b111111182222222f1515151e000000000000000000000000000000000000000067676790888888bf888888bf888888bf838383b96a6a6a956666668f6666668f777777a7888888bf3c3c3c5400000000000000000000000000000000000000000909090c565656786767679056565678808080b4888888bf888888bf888888bf888888bf808080b40909090c0000000000000000000000000000000000000000000000000000000000000000000000001a1a1a24787878a8888888bf888888bf676767901a1a1a240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400200000100010000000000000900000000000000000000000000000000000000000000ffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000f0410000c00000008190000093800000138400000000000033c1000077fe000077ee000033cc00000000000013c8000093c9000081810000c0030000f00f0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000fff100008000000000000000000000000000000000000000000000000001000080070000e0070000c00f0000ce3f0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000f0000000000000000000000000000000000100000003000080070000c0070000c0070000fc0f0000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000000000000000000000000000000000000000000000000100000008000000200000000a0000001401000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0000000001000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4488	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4300	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4300	explorer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1816	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1108	svchost.exe
Token: SeRestorePrivilege	1108	svchost.exe
Token: SeSecurityPrivilege	1108	svchost.exe
Token: SeTakeOwnershipPrivilege	1108	svchost.exe
Token: 35	1108	svchost.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe
Token: SeCreatePagefilePrivilege	4300	explorer.exe
Token: SeShutdownPrivilege	4300	explorer.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2488	StartMenuExperienceHost.exe
5036	SearchApp.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe
4300	explorer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 1816	4692	rundll32.exe	80
PID 4692 wrote to memory of 1816	4692	rundll32.exe	80
PID 4692 wrote to memory of 1816	4692	rundll32.exe	80
PID 1872 wrote to memory of 4900	1872	sethc.exe	119
PID 1872 wrote to memory of 4900	1872	sethc.exe	119
PID 4300 wrote to memory of 4488	4300	explorer.exe	135
PID 4300 wrote to memory of 4488	4300	explorer.exe	135

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1
  2⤵
  - Drops file in Drivers directory
  - Modifies extensions of user files
  - Drops startup file
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: RenamesItself
  PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2644 -ip 2644
1⤵
PID:4892

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2644 -s 10184
1⤵
- Program crash
PID:1808

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\log.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4488

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3428 -ip 3428
1⤵
PID:4708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3428 -s 428
1⤵
- Program crash
PID:1116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:3396

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:2552

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4532

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:3836

C:\Windows\system32\sethc.exe
sethc.exe 231
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\system32\EaseOfAccessDialog.exe
  "C:\Windows\system32\EaseOfAccessDialog.exe" 231
  2⤵
  PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1112 -ip 1112
1⤵
PID:3348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1112 -s 732
1⤵
- Program crash
PID:1376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$RECYCLE.BIN\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini

Filesize
260B

MD5
482265a2e838b45f95e95e52f22329c3

SHA1
6dbaf6c9e066f48097b22b16ddb2a71411d09f55

SHA256
9da87d5511b9d001c443f5b4fe68c6afe2b6b2578524c2679dd2d6201f9a8cda

SHA512
58f1b9e1fdb979a620a5068f550ce3c87ba241c56c1a347c60dbe1a5a3cffc9d24bcabbdacf8b06e851e2571e225d8ae34e18ed013971ecda6b9876536087d62

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.2MB

MD5
ba470886d93530423d8001890cc04fdb

SHA1
4ab3b3fbd335c7adaf4bd17cb995542226a591ab

SHA256
10e3de204697670298d90700e1f963c1309eeb25dfd0ea41f934c7645251ca53

SHA512
3921b305f669bee83489200ad18ad374ab0f11aae18a35a278702eca641ee003a5252b8d645a8d5fa6ed9c5f74cf55d2553440fba87af60d06e5bafae61f68c4

Download Submit
C:\Program Files (x86)\desktop.ini

Filesize
174B

MD5
59a7388d60bc27d2642498a9a79c8670

SHA1
e820f410f4427c9e8f96536f385f00f0e12b9265

SHA256
8fd7e7c1bac57392f202a9406726b76b555ec81255ff3508697487ba82f94625

SHA512
0637459c493c335ef86f784411f59dc45ea44594443a1eb47743b95765a12277a7c616257c3ad2f1d6b82e503b0aa138578e0b22a79eac6717b2c4bcb3b9faef

Download Submit
C:\Program Files\desktop.ini

Filesize
174B

MD5
cf412ad428f6358e031ffaa14c4d1503

SHA1
628610e8bc77cc2f836067b5b168513f455934ce

SHA256
1d0dc75cefface67b6cf15f11fd0daf35a543750455e6005e58b83d3937e36f3

SHA512
b3409efc414866d85c013b0fbfab538ae519d8f2b9359c1092eb31b088d4dd00e3bb8890fb8f30326b64288d0eaeb7cfbcf2e48a0473276ba42b80a2e1d0c058

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db

Filesize
16KB

MD5
f79ab08c580e8e4d35a11232c93f5c54

SHA1
605432e2a41a41d6ea0816273af70a7079904e68

SHA256
c3cf1f2e4680cdf2a9a705636b890680a36d7940d1923ed223a7550cf5830a7d

SHA512
e084767085fae5b8252a90f0b377360269205ad95703a1927a4bd3c6ee28bf375a58ec77099fae33d70c39c69e4da73854a703e48d05b5a762a76cc5eb44766c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

Filesize
400B

MD5
50fbb156807b4f3dfe1ab0f3052b10ed

SHA1
1c026aef557e57c768b1e5fc18f189497a90ba52

SHA256
306e8dcf6f7cee8d97b3baef6172429d2a22a8c5469a6ab832c0def831ac785b

SHA512
1da1ebdeb796ade33b4f79cd3219e22a7f198767de4ad916253a5cdf76c6e2df118c7fc25d6674a31dd42425da99c71f2be9713f88d0b1ebf9539dd6542fffbb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini

Filesize
174B

MD5
455853fc432417395f89b0c4409778a5

SHA1
2982bb63389d4c2b45ec849c246d51ee7484309c

SHA256
070fcd1bc1e1274196ffc9672c05d9d7194f3a208701dee5507faa48357c0523

SHA512
1d45744e8465df63988f27722237cfc5cbf73c71385e0fbacfdf781ee0d803c773da22986b1eab444077bb6a79fd768026365c3427c5ec5da1892193d780002e

Download Submit
C:\USERS\ADMIN\DESKTOP\ADDUNLOCK.RLE

Filesize
1.2MB

MD5
6026529bc25c8c9ef832b550300fbb6f

SHA1
55b8cb4ca20169d94007cea52168e054687da75d

SHA256
b357c93736ab61dee654b258e0914135991d30e9c9116a461c09a5b8b3723011

SHA512
368fc686c10f7f7a17fa726473ceb9ccf881993d297a05e948336d2344526910f1960be5ae108ba3e9881c890a57517b90574b12c4f0c6762462909698774446

Download Submit
C:\USERS\ADMIN\DESKTOP\COMPAREGRANT.DIB

Filesize
691KB

MD5
1fc2b9b25fce2f884fc0b2719e17b53c

SHA1
3182ec37ac456c835bd5db9a7769f18f6abbe7ed

SHA256
9df88caa2f32dc04b192db22f83a657fbfdd41ea3ba84565c2a0c16c23ad4db4

SHA512
8321a05eab51666cb0176f6f1184ae82dba7873428cc2c4f33ae4e582b95f75f6e73f19efcf1e6e7c029fc40c773bc7064541f023ee3cb6a10d6e99e18ea5cfd

Download Submit
C:\USERS\ADMIN\DESKTOP\COMPLETEHIDE.PDF

Filesize
718KB

MD5
56dc612a211d51e34875491322691bcb

SHA1
890ee7d4faed4d53b41028b88775bda6e4503799

SHA256
61eb8a2b98643199a2bea8b0055b20d37732dc427867e667a664329ba22234de

SHA512
c16597643466cfb75d31038ac047c3d5fa8443271cb78c1bfe875ae82548b37b02f9a07a794b33d74368559bf9ba1c726bb3cef60d621e408edb38d76646bc87

Download Submit
C:\USERS\ADMIN\DESKTOP\CONVERTTOADD.AAC

Filesize
447KB

MD5
fd79c2c1193126ad8262604761a8eee9

SHA1
8e5b665cbc0c20f8a6dd52c7b1f2ffb7494a0e6b

SHA256
67a4615eb60bf3b74f41a58a8e0fd6234fd05908360001e255c77e96566ef5d1

SHA512
154201bf5e33de30a5b86cc5bbf724c785a27bd5aa822b7d2448359ec369c281d527868fd372983386f2360c7c9d28f18604b973658bea37d3a5f27d30416d14

Download Submit
C:\USERS\ADMIN\DESKTOP\DISMOUNTRENAME.TTF

Filesize
474KB

MD5
f48918a910a686326f07e8ead4a6ede1

SHA1
9a611c50951ba6150ed8797dea8b47d44761af81

SHA256
8c06f456ac451d5fe40bffdcd56292226c0c060f074af5c6ebeb6779d1b213f1

SHA512
a289c4ecaec34b5958cc40bd3d957c0c502983c75f76778f2d0badf8e6958db684d9a9fd845a34159cf78d6ccab30a5253b1a4f2e14958c192b3c072133e8551

Download Submit
C:\USERS\ADMIN\DESKTOP\EXPORTPUBLISH.VSD

Filesize
636KB

MD5
e5cb77ff7852e195cbfe53f394eb2eea

SHA1
20dc142e2b9ed783e693ca0de5708827dbcc70f5

SHA256
522cf97387ab443311f9cf4e5ab75e4f7e1a2d36e4872723e1c4d261cf85f92f

SHA512
b3f969e5314af22ee2899c35dc7300de38f69362c159c749bd26952762b0c200f6632240abec79ad0c73850720556b1bea559c2ccaea72f10fa24a149d85a4c4

Download Submit
C:\USERS\ADMIN\DESKTOP\GRANTFIND.PHP

Filesize
528KB

MD5
f8f6a7f1c9d7e5dbb3c6764858817b05

SHA1
873518cc8fed9edfe6f0373e7803aedd4784fd90

SHA256
6da0a1ed41b9009b779de7c3bcc3865b2c5a607277e0173b4f1cec782549ad49

SHA512
0d5fdd87b1b03c948b151d579befa2f07f51fcb21bbaadf6f571eef64b2b62761f7fda28ea503423f33685070eca40ff4926e1ebd698d48039ec7f29fc20b5dc

Download Submit
C:\USERS\ADMIN\DESKTOP\INSTALLCOMPARE.VST

Filesize
799KB

MD5
0b5cd7d4caa23d69bfa1ff4fb810c1a9

SHA1
6b19da2926d21c04d41cfb89b7066ea0493b2578

SHA256
70f66100441b76aa17d5917e42f93ea01b65730155791eb9e715838cd1c9c60e

SHA512
0e5950a7a96522157d91243415c62175e81c837b8abb2b805f2ac48f0f1d70777554092b800e5eba1b64adddec97e958ebed83bf5a83b4b5f4635109f7d9d455

Download Submit
C:\USERS\ADMIN\DESKTOP\INSTALLCONNECT.MHTML

Filesize
880KB

MD5
1b9737de7b4bfa022c2aa3d74b7a39f5

SHA1
4b0fce11547644d2215db7979546a60e9b717001

SHA256
af1297bd2a0804f147171654bb4c942bf6956a00d41b02a1f91ed5b403fbdefd

SHA512
fa0ec7467e4bc0f48962d7247359dc1215890e7c81be2dd3da23ba5b5323759564674a0e218d4a76c102f9894d0a592e4b2da4def30815c4223889a39b8ab494

Download Submit
C:\USERS\ADMIN\DESKTOP\JOINEXPAND.VSTX

Filesize
311KB

MD5
73b588d158f92dced472423c7ca7b31d

SHA1
42e5249e44d28c7407f9a7ac588ea285ae84f980

SHA256
070733d27009b1ad02e945d55756ae62a8ac18d35e589c54586d3361c9b73111

SHA512
c123235f4b5cb7e3cb9f515f25e44b2b2c89fdab8473624d5dc9a97503bec77d5ed03151d5be5336a0c1a501ad06a8a8315c95503cf61be380eea1b9f368729a

Download Submit
C:\USERS\ADMIN\DESKTOP\MEASUREPING.CR2

Filesize
772KB

MD5
cba3c5baa912547e932b821f4283fe22

SHA1
756a235ea4057e9b3308e3a95d732f9d4264e431

SHA256
124767cda7c452dd5b657b826422a1b462d28f55123ac4ce03d4dee00baafc97

SHA512
3cac0b1a3e9e717b3b21ff90bcf8a2f6e2c3270472f54205e9f865f68cd08a988bec89af7b015cfd734a3b2fac207ea0db41f82b586ff1a5337d76c5b9da4206

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db

Filesize
9KB

MD5
93997337c5c3036ac0205e1054e19e21

SHA1
01189a79cc8719d753e82d7637a63f0339e99923

SHA256
5b65ef67dc71dfdd424ebe9f25d1d0da9b2021a5ece4917146e6d53a241d6cbf

SHA512
a8d9992c51395d4ab0867389f29a1e604d35815cc1e0355dbe698fc1aabdc38d58ca232cff89c98ec53fd9ee4094ee38ac32dbdb8d05d26000eb0ebdde9d216a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
1022B

MD5
601b980483df092ad828648b92f34b2e

SHA1
ca5789b9a0fd3cae42e348bad78b635c2aeffe57

SHA256
1595ce971633a2325e74cb4f0b767e93bbd7dd1723875037eb0a58eda829811f

SHA512
72e9af51b9e2925cf2ecbc880fab29e8da7e992dfd733a18e900175353553baab58834afcd1c204d7755ffd4a7b9343d75d0bf83a1bb0a9d7777ce1fed6a4ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

Filesize
16KB

MD5
b87e3e69312f0fa85ed278903b8faada

SHA1
46ba0933cd6c6bbf3a296dc92c2676d12686cd50

SHA256
c2523ea33c76bc8705c374d35173d7c5b34eafc8fdb2b9208821a09140b1359d

SHA512
c30555e185e6e9ad24bc44093f11b5c3ba1e8d93275fae313b88d63894bd70f72524aa1a53fdcae5ac12adce2473cb19427720da1034df3baffdf92e995b11e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

Filesize
16KB

MD5
b87e3e69312f0fa85ed278903b8faada

SHA1
46ba0933cd6c6bbf3a296dc92c2676d12686cd50

SHA256
c2523ea33c76bc8705c374d35173d7c5b34eafc8fdb2b9208821a09140b1359d

SHA512
c30555e185e6e9ad24bc44093f11b5c3ba1e8d93275fae313b88d63894bd70f72524aa1a53fdcae5ac12adce2473cb19427720da1034df3baffdf92e995b11e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

Filesize
24B

MD5
f0f35680a67ac5fd280471d0abd555bf

SHA1
732439c9bef438487473e7fa1d699dcdc9d61b1f

SHA256
670962e955e77d52c975a17319bd3ec0b83c5c87eb5d7d348e992c126f2ce3c5

SHA512
9688d16c123cd330cc1724ccd236f4fd1e20039f03bded50fe6e690a9f8a975daf651eef34557c595d795996d25471b814e3bf9345980f6a694f00fd74a139fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
0672402b00a231f7c951ede5b3c29c94

SHA1
ffa37a392b13abae5263ab1c201318e0cac4e674

SHA256
ff1ea1d61b9ca84243c1e8d6ba2469d89f8be9629fa67ba89bc4f376cb3033dd

SHA512
f435f985bbc4b773da37a2aa154d2ed4e713056f21fb1603387452121c558dc17384d732f461fb33c7bf7380236028ee2ce68594ad22a692acb892d2e8b0775d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

Filesize
24B

MD5
f0f35680a67ac5fd280471d0abd555bf

SHA1
732439c9bef438487473e7fa1d699dcdc9d61b1f

SHA256
670962e955e77d52c975a17319bd3ec0b83c5c87eb5d7d348e992c126f2ce3c5

SHA512
9688d16c123cd330cc1724ccd236f4fd1e20039f03bded50fe6e690a9f8a975daf651eef34557c595d795996d25471b814e3bf9345980f6a694f00fd74a139fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db

Filesize
3.0MB

MD5
e9a4596e6e34a6e6d638ed31edf25168

SHA1
46d72b8126f657eac93b43240690f845d98b65b5

SHA256
b0b0ef89aaa00c5f68b052e4e1f94c1271a80a0e804e0b373421a534d5c39d2c

SHA512
74ab71ffeaf341fa95bc2c3af35a831e829e7bda031b938ee44612771a9fdfd50f7e4eec71cce61cf71d4c6ea71afbf2ebdea0ec4ea9bb2ff3e9d171127f4da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

Filesize
24B

MD5
56a8cd5cf9857f4613e18396faeb600e

SHA1
0fad5c1bd98fb77d0ad34e19a97413a442f9c9a8

SHA256
88856a9eaee9901ad0f3e88c44db9d44ca8c7d676b0071eece7a5fcca885604e

SHA512
0f34f5593ef6d245743df48b295abf8f1a77565e1d7dac60adf9c9e12ecaf980b8fcacd305091c336131139ab8b53b0a041ef97760d2aabaf5ee54accb2e2c4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
96761d5444927d67047f6c92fe1cae65

SHA1
b44037313350c127cb7b13ba2865528acf32cad9

SHA256
a9de28089772e6e5249fa70caa7ceee1d2d3d024b5d2127eb8b347769d69cc66

SHA512
839770fc0b70ca67d300069cf8517cd02e3e6d61c1ea70f0e98ffb4a48efec96a6e8cbd8b461dfeb3423dd6829118045770f6256ee98ec9e4c408d10359ea66c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
c8a9e9a4e5019a73cf131c0b86358cdb

SHA1
d227783fadeb35b979c7c79e51b17e17356afba8

SHA256
d825dfc5909ac90f69b11030544779a7dc0b3a6240df14161b1feb4196a7f054

SHA512
a013daa01e3ce111134f4eabf9612ff6fc82ed97e627037dc7259a6addcf83795c66cf74670f9f5114d91e16e3344ae51ac807f708db03036a559430a7deb089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

Filesize
24B

MD5
931a7b8f2cc0333eff8e9c1887438e0e

SHA1
0123688850a077fc60a9f908da23e40be0a55e65

SHA256
c3c4f517078e9e8d5cf7178cc5fdc1efbb0da5095c64a05d4d3f96b8d97fd9ee

SHA512
9041de57e097c0c3c35f8f062369700637dea6ec5b2d7ad2bd765e2a9c001cbda0f64b927a78a95c00f0dd4c834f5c0b884304a92087d7108a7606abcf347506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Filesize
24B

MD5
931a7b8f2cc0333eff8e9c1887438e0e

SHA1
0123688850a077fc60a9f908da23e40be0a55e65

SHA256
c3c4f517078e9e8d5cf7178cc5fdc1efbb0da5095c64a05d4d3f96b8d97fd9ee

SHA512
9041de57e097c0c3c35f8f062369700637dea6ec5b2d7ad2bd765e2a9c001cbda0f64b927a78a95c00f0dd4c834f5c0b884304a92087d7108a7606abcf347506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

Filesize
24B

MD5
58ddff0f3bd62b1a1c5aaff6581a558b

SHA1
07170385df11cba928bd8f31591d7e9d3a91ee22

SHA256
19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe

SHA512
531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db

Filesize
24B

MD5
58ddff0f3bd62b1a1c5aaff6581a558b

SHA1
07170385df11cba928bd8f31591d7e9d3a91ee22

SHA256
19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe

SHA512
531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
d11726d7e4ee411d4af8d756f6fc9603

SHA1
0114010c0778aeb05fcd8e38ca7c3aa5c7a031cf

SHA256
7e20a09f187a652beb4767d6791d84c9574d51fe9d41b73225f8f806ee2f7c91

SHA512
0780e4125f4ed4052bc5ae92bc38a0b2cabaa02f77481ee4c1fcbc76de67d32b53d298056cb8dbd7e57545834e09c0cdabc7f5102f00fd7baef45ebe97012aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db

Filesize
24B

MD5
58ddff0f3bd62b1a1c5aaff6581a558b

SHA1
07170385df11cba928bd8f31591d7e9d3a91ee22

SHA256
19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe

SHA512
531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db

Filesize
24B

MD5
58ddff0f3bd62b1a1c5aaff6581a558b

SHA1
07170385df11cba928bd8f31591d7e9d3a91ee22

SHA256
19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe

SHA512
531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db

Filesize
24B

MD5
58ddff0f3bd62b1a1c5aaff6581a558b

SHA1
07170385df11cba928bd8f31591d7e9d3a91ee22

SHA256
19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe

SHA512
531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db

Filesize
24B

MD5
58ddff0f3bd62b1a1c5aaff6581a558b

SHA1
07170385df11cba928bd8f31591d7e9d3a91ee22

SHA256
19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe

SHA512
531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
1024KB

MD5
e39be94d8f04415eb07d4f8bc3c99346

SHA1
a48c3cffb17232bb288aa7ff7d89e5cd232d2b43

SHA256
595ade06736360981ae36c3371c1fc544836a16fd85d2879afe6a707280fe087

SHA512
f4c62bc303a2a22ca15ce3530290ede0909ce64322875ca21c2094e3eea612c6dae15657c101e9368b89b8267ba482188914bc80276eb012d775316e0305f169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db

Filesize
24B

MD5
58ddff0f3bd62b1a1c5aaff6581a558b

SHA1
07170385df11cba928bd8f31591d7e9d3a91ee22

SHA256
19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe

SHA512
531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Filesize
1024KB

MD5
57825d7b79a3367eb93cd4e7ffa166a3

SHA1
e002c66ac9a8559e7289b9ea46f01867833977cf

SHA256
9c7c43df1964d456efe56bd00d4e3557eb38a0e26fcada6ec56dbb3d7fef8e25

SHA512
aa6c477d6296db447637f49f9f1b85a125180cd489d159e26beabbe3ee53420b31a394e2ded0651ffb63722cdd56e8c38515bc88009679251d4d273e9232f061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db

Filesize
24B

MD5
6f3f6d7ecbe4a159b76ea2d8e6fa9c7d

SHA1
5be416b03f4e2d87ff7ef7ecc2ba21867a4c6d54

SHA256
44a0a1ec3a5cd2d47af7e7137c887b3fa956bfac4ebccd378c5ec6a6a085657d

SHA512
b82246801031181cf45c7c060b33f97399956d56443beeee1b576d26e2ed3c6d8f7144b2eebd5c331baf24c5ec336a2ff9c9004365023fa020acc4fc5c64aa01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db

Filesize
1024KB

MD5
410aa3de87aa62e7b8b1b2e5d53b23f8

SHA1
e7e9267304fa8922154396d7046fa593f9dd43f6

SHA256
479f9c970db5660e72343342b6fa74cec198650c9fadcd6b8a26fad62d9d2cbf

SHA512
49a0c353da07061e3727a7604afbac7483e5fe7242bd3b41827ab38e5803ce25b77658ff06f77ab6d7519e5b03d082bbdecca03ab27c7f906b925e4acdc94cbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
6f3f6d7ecbe4a159b76ea2d8e6fa9c7d

SHA1
5be416b03f4e2d87ff7ef7ecc2ba21867a4c6d54

SHA256
44a0a1ec3a5cd2d47af7e7137c887b3fa956bfac4ebccd378c5ec6a6a085657d

SHA512
b82246801031181cf45c7c060b33f97399956d56443beeee1b576d26e2ed3c6d8f7144b2eebd5c331baf24c5ec336a2ff9c9004365023fa020acc4fc5c64aa01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db

Filesize
24B

MD5
6f3f6d7ecbe4a159b76ea2d8e6fa9c7d

SHA1
5be416b03f4e2d87ff7ef7ecc2ba21867a4c6d54

SHA256
44a0a1ec3a5cd2d47af7e7137c887b3fa956bfac4ebccd378c5ec6a6a085657d

SHA512
b82246801031181cf45c7c060b33f97399956d56443beeee1b576d26e2ed3c6d8f7144b2eebd5c331baf24c5ec336a2ff9c9004365023fa020acc4fc5c64aa01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

Filesize
4.0MB

MD5
a3bd4fd0371691433e347c65a3506b39

SHA1
b83b33d7ae7ba6ee56619b7c94f417620519b4ba

SHA256
e2872515ef7b6cdb99a8be662c892c1dc5caabdb8a02468eea7f4c7a81c678b6

SHA512
eb3480a08ae963bc4c2e02dcdc441946f68b567c7b4c5f2b1f7e46c32dae3b0a8169c751acd688ae5aff0b69fb1a806cbfee1b05bfc7bb8bd350dcd97e5c84b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db

Filesize
24B

MD5
3f293d6b6b808b13317369718bb28871

SHA1
5dcc53899730716128fc12d76923f4df4539ea4c

SHA256
7c274c60494314ea6d6e7eac631dccd667706623c7c3ce967f6a75b4f1ae79ba

SHA512
add746c854197717eb24e520d080f1f5486b7060fc8b263ac0b8562e4bd994f502d2687b50d9a42b9f8b465d6d17cff6d9d3fdd91e3df88b8909fb685c854f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db

Filesize
24B

MD5
3f293d6b6b808b13317369718bb28871

SHA1
5dcc53899730716128fc12d76923f4df4539ea4c

SHA256
7c274c60494314ea6d6e7eac631dccd667706623c7c3ce967f6a75b4f1ae79ba

SHA512
add746c854197717eb24e520d080f1f5486b7060fc8b263ac0b8562e4bd994f502d2687b50d9a42b9f8b465d6d17cff6d9d3fdd91e3df88b8909fb685c854f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
14KB

MD5
c9952caa9c73b5e7ab1b212bd70437fa

SHA1
fba61fdfe3ea69e56dc231acc5d799d5d4011518

SHA256
dee4aa28555a20e272dab405d7658f72cc1226ea179928a9da13c3ff4e205a21

SHA512
dfa0f6385a5e117220d58c2bf471417a83262c4f862ea3334e2073d72d15e557a91f004b59027618356a0250c1d4fa855d8c784574ae1e827d1246b302fdbf0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

Filesize
24B

MD5
c0c2407c8b34539b69feedbcf8381e7a

SHA1
b8ba3eed49f13c6969bb9b8bbca722654e2c23e1

SHA256
ef2666c29c2bb43978a6c39e69b4d24d0b2d9933724f8951360932210f87d027

SHA512
348a7f02a16dcaf4c9aca0ed3daf5025d53ec9f1767d367cbf70c89ea70217ccfbca6b1cb3204351b21994a74458d63b9c6faa5855eb6e30168f8fc3eb7d3396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db

Filesize
24B

MD5
c0c2407c8b34539b69feedbcf8381e7a

SHA1
b8ba3eed49f13c6969bb9b8bbca722654e2c23e1

SHA256
ef2666c29c2bb43978a6c39e69b4d24d0b2d9933724f8951360932210f87d027

SHA512
348a7f02a16dcaf4c9aca0ed3daf5025d53ec9f1767d367cbf70c89ea70217ccfbca6b1cb3204351b21994a74458d63b9c6faa5855eb6e30168f8fc3eb7d3396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db

Filesize
24B

MD5
c0c2407c8b34539b69feedbcf8381e7a

SHA1
b8ba3eed49f13c6969bb9b8bbca722654e2c23e1

SHA256
ef2666c29c2bb43978a6c39e69b4d24d0b2d9933724f8951360932210f87d027

SHA512
348a7f02a16dcaf4c9aca0ed3daf5025d53ec9f1767d367cbf70c89ea70217ccfbca6b1cb3204351b21994a74458d63b9c6faa5855eb6e30168f8fc3eb7d3396

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
107KB

MD5
20e1883bb108bee5247bf73bfee68211

SHA1
2578198eb747ef99f75b48655b0311f4733753fc

SHA256
f862fd12402285e2609732909896f550412c91f7cbd871a980d488fd88475cfb

SHA512
f38ed65026b23dcba4a07be9e81f911f6313f0569908d0b536b354c0ec0a01d931b2be36a50f41168e9d28d9318349e2b0bdc702c09c697d2a8d1f9fbd2e69ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
8KB

MD5
58f828997e7bcd74b35ae7d5cc1004aa

SHA1
306ea748b2ec1fd83870cb03621305491dc9e62f

SHA256
2247eccd0caf1f00e33f61aed8abbcf964518bcf642d1b3df57a30451a5da990

SHA512
3c2d795154ec3b2b60b8048e1dea10ae708aff4225b60081b1602f9a656daad31d54e5a869042d0a8c2fb8ff32872885539cbb5da5900509899a4c9a0f11989b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
7KB

MD5
2850aba1267e6c3c5ff8f3033a13ffba

SHA1
9a1a1106c845c694b5e7d913fc56cc3a7fa2a2f8

SHA256
7327f88d1c7f3dfed14160c70dc6105c426e8bb3d747d48f530f2a0807ab183c

SHA512
e54e1b2de6cc1008c6b6f5bbee744c8d0cdcce8dfcd041e85988a80a3fb778ec817ce56a4b2151d33bc6a4aca5346b3b4af7699123a135987df23da1be2e5d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini

Filesize
432B

MD5
2529aa722a0eb3544feb49c0beb41270

SHA1
fac195ef53ab357e0201617dcc341f610b1269ee

SHA256
bf812983fda35c603b77e82257c5071cc00efb6a77d7c62be8f16e0659dc0c0c

SHA512
8f8457189841c1c2346f0eb22717ef17ecb46eab57b14ada4ea46931f58619b91c5456dae86c3e0e3a86a5f4ebaa65717d4bbe984e0b89e3e0920e8a9b997b33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

Filesize
51KB

MD5
7f3b2d160b2339ffe929447c9bc3271d

SHA1
95b0791249cbcc36c842b5fd12237ef345b68697

SHA256
d19f501f31f793dbec613c910b39fefaca31f750fc17dca8b3a6c5f9c881e629

SHA512
b66a4611c3aaea2f719cfa23ad3d327177285d419f7ad9fffafdc1b1681c3e3fa1ccc2c9491407068fe0bae7f7a822f688fbd1348c7aa3c36cdfad89c518a2b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper

Filesize
71KB

MD5
b8386e9f42f7dd3172b7ca7439633016

SHA1
ccbb6c8f70e02d5496a29630dba6473d7ff29c8e

SHA256
bbc6d34cc6643038bdccac32e43ec992d6ef68f97f554e69caa16bd272c9f90e

SHA512
7073cb92cc4d1e58ebe27465163bfc71bce202da4c743294f9959659c80f1d81f7318b43849211932099d11181d7fb865cca43083097c42e076718428561f6af

Download Submit
C:\Users\Admin\Contacts\desktop.ini

Filesize
412B

MD5
f815161a19f69d5bd64ab77befc651f9

SHA1
f8ae0126293d3625127629743f9f126e70845e19

SHA256
64679fd04f9abb1de7a07d8110e5a254e55ae27390dd50dd5fb6ff41394b3bba

SHA512
820b9bc6e18c2a1aaf4e8967e6d9fac3b1cfaf7313c09006218c53ffba4cf30f5b3bdad72e6b4c75126d9c0990bb7dd8a2f8e6d9fbc616909aefd78df6abb1ff

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
7b660a3aef6095662f1136cd97da45d6

SHA1
e40e3a786b289d1627e15b14ad037cd8bdf7f21d

SHA256
c3c6c276e89197397b71d531a6ccf5a18b4169813f909c02049ab682cbc6ab32

SHA512
b254baaaf1e9f7671c25b57de8799995e6d9d66ad9885a081dcbb294281c8688a4e0a3df0626f3c42944240b37a1816449c958450bf9be6653b86d7cf04cb12c

Download Submit
C:\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
bff1bcc7b49f8fbd3eb76bbd48450f94

SHA1
5c89010ebd233af3241bcaa708cd594e35501d61

SHA256
0a513245d4c82261ac5488443ddfd86c625375ee8e5bdd60090d08c4ce545c56

SHA512
95ba80cf454c2f09ffd4a9c21956067ca26756602f76f4d67c02e8840e7f9a2c6f0cb60193709df15b6d88b43360dda36dcbf9f97094dd322e64d98a6a745f80

Download Submit
C:\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
1c17dcba7cbc68c0c7dd139652e50805

SHA1
fd57b8efbb8899a5fe763275a03f1d41b26e3b75

SHA256
b1400185f477352310e6edefd6ce49646821b122b31c7d0216e1ae29dfc288c8

SHA512
76bad772f1e4ba2ca10243fd6e5bc89297353d49a04ccf4b874e3fb506b8ab9bf2540b2a1f39da58498b46560e1f4729f3c31c28ca6c277e419cd5a054a3a71b

Download Submit
C:\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
caa1b764459200c7943d51414efdd1bc

SHA1
5c5299d2e67b2bb765c6b1bdd8f0ee047a7c179b

SHA256
4ad931b9a4af1036b563272d5ee8e51543f586d90d04968a03f7eec5968ca34a

SHA512
ebdf667ac635e7a4f52d4eb65283d473748d81cb653eab4341be893b127071c1ef4707c699bd798955b0e5bf15f579f92de62c570bd50efa965cdf307252e96c

Download Submit
C:\Users\Admin\OneDrive\desktop.ini

Filesize
96B

MD5
4de528c8fcd9af37b1ac364019443ce5

SHA1
a3a9017cd78b3edb89668f70b9335659d9330777

SHA256
d53e3ad6101ee3d78c19b2b23946fe727ac0585f3663242a8977bbebd7281bcf

SHA512
bd3ebcf713691d9b1d5071448e941a2fb92d0b18911e7bb2605aadd6985796e8f621db527dca90b6872068d4fca1c13042812a71eb46b3ea648e53cb1b80d91a

Download Submit
memory/3396-200-0x000001D769440000-0x000001D769450000-memory.dmp

Filesize
64KB

Download
memory/3396-199-0x000001D769340000-0x000001D769350000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads