medusalocker | aa7d8be213152f35b5bd6e74f60cf14d5b7a88909ac79b7b25e6bf5b60ffad46

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2023 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

busavelock96.exe
Size

332KB
MD5

881eb9957ba912beb13685dc507e7724
SHA1

b4aad9a1adbe5ec389c15502d57440d0a29bfdb1
SHA256

aa7d8be213152f35b5bd6e74f60cf14d5b7a88909ac79b7b25e6bf5b60ffad46
SHA512

9ca26fcb63a3d6bad459c0d386638b4f1c5d07ab1ebeeb6b958adaae77fe9f277ceafd5a050bef1bb34b6b5aebc0c2a314334ecd4b610bcad296e2d4ceb79680
SSDEEP

6144:PbDN9i3aojIaWQoFeyDw/VG4g189vjHBqVYGpLRztkT:d9zOWQoFLDw/VNuoytkT

Score

10^/10

medusalocker evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">bOZralieQuJjTrsG4gnxZookcE/DR9L+jZJUocI5VYv37ZPxuyHkoKZv/c/I6xuGSMXnXQIDaEzaK93diIyH+EI3tNqXTcuDs0Z3RHG4pq6JgWsJWKuqBoODHCJoxrTQ1RXiGbRuDlQOHDjA1bzGS3tuQRdq3Is8dbovVLGuVxaD/yf/uMT5SQ+bodM+UbwMczbJg2ge/kaSHmJCK8nl5bTDvgMo66wjHC3Zwgvs/3izw9e3KP0yhjl239Ic4bvC+QoQnXhBfT9acUeyfySiKsSgyB9QYaN9g+KMdFt7JRWlWly6o3VvPP19ElcwOwtGOpCMgELUFWFKP8Zh8D/ZqbCperh6kSJC4XdIOMMchjNNbnlkxMGQjsrqMW2jhwuqJGXzGoUvnvmGMiQJEOwmsEOiFvS0p/QUvpJn2UinYikmMG/sLxNxV5n41bx0waMYIN3iIvfH0XKKdzAr8xs9ciJCot/irkXH4vlICwVmyBfBP/SwFaAddrPb8S2SvH47PclfIEpVqHT62puvBPYKyFJupg+iFRy+9VbMSyvofgWrMeVckz8U6caCNQ9fYgK4JDO8QOCf/md1i1Kq6h/LCD7UMLZuWzGd1yZZIvBXPW7BfeSwoFNRQlHAXyARBXX/RuKCB41WK9yN4wbcUSIIJX1rlrxp6MoMVPy3ujmK7MpuB2wm2mO2AB/j9aE/WFFzKoYDKXMwByhR1Pi2GNftDtMFBX9NIWMe6v8Onz1DaRZUaHzPWPAgPEGxJFAxhGYmNtx5X2FURCqUnDmXrnbfEjLjkqGMucoHcLiwL8761QpVNWGV8lKNE1wq9YRuCE6OGjhcCh/RaVAP0eNlfSwRorLBznkF0Fz/xSwgfUed2OPWjYNjulnUbsabZenfF3b5d9f1THIr00SLsnyg3SII73T7GdWvurYo5h/1ENCcBjkUqSa7rYUVHIFf1b6yDimjaDtwAgWwH+vDmT/hXUW1/u8u/es/cf70TAanJ2t9IyGe5dUxcnUHkynGcZff7Y5gKytxBvmSk3ZPZkC44NGh95hl657TcyKiFsZYY3OPMT47xRR2pPkoWG26Z9wSvU0St7dojw7YDZY9UiQ8ttzMQ17DryFzuvkOGs4NkIwjFj7NJ72juBUuHF+RaJbco/ZThG2k+De2K/9S/u1dQho3J7Rd0oKYU5UY3VdCjQprV1OiGCXzQyBMngv/9QRJCxkPc/xk7ExmG3h4pqMQQi24gt3VwNDayvdl0DqY+YHi+1AOlyx50Z2peAtC9ozIvzK/ug1xi7/7bebwUfuSZJm+O8SLJ6VUkcAh+fDI3vmVwkyk2zw3ZMdCjuBvuzj5TpsMR2yHKznBgAf2tPokGwV4P+ZR792RqNANytgiFF22m5XgSEdlzfbtzGlqBkYJBj7o3P4cfP1T1FRPPqi6tjRGSQCX3XHK5V1JV4qSkEbSnQJm4zXKRlL4rkw1qe1ksOPYOn/62xr0v2mBFLqpiLO+T2WXSbphFqoKDCILBNyP7mdD2ogjwgprPZ5ZZQ1SBuhxppDok7L5cPRx/PAa85+rmoUSJehKcORS1wK6rxauMJ0aWLP+j15qdsBplTzemy2a3Hb0ORewDDLaL7uMCTQhebJ3oa+ScczpD6eaEumYF8kW9UNqMp4Bw3cBkMYuLfaPfzpHWF85sIZrGZhQGryKzwow5Vb0pRn3ZzOK9jnna6o=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Extracted

Path

C:\USERS\ADMIN\DESKTOP\HOW_TO_BACK_FILES.HTML

Family

medusalocker

Ransom Note

Your personal ID: bOZralieQuJjTrsG4gnxZookcE/DR9L+jZJUocI5VYv37ZPxuyHkoKZv/c/I6xuGSMXnXQIDaEzaK93diIyH+EI3tNqXTcuDs0Z3RHG4pq6JgWsJWKuqBoODHCJoxrTQ1RXiGbRuDlQOHDjA1bzGS3tuQRdq3Is8dbovVLGuVxaD/yf/uMT5SQ+bodM+UbwMczbJg2ge/kaSHmJCK8nl5bTDvgMo66wjHC3Zwgvs/3izw9e3KP0yhjl239Ic4bvC+QoQnXhBfT9acUeyfySiKsSgyB9QYaN9g+KMdFt7JRWlWly6o3VvPP19ElcwOwtGOpCMgELUFWFKP8Zh8D/ZqbCperh6kSJC4XdIOMMchjNNbnlkxMGQjsrqMW2jhwuqJGXzGoUvnvmGMiQJEOwmsEOiFvS0p/QUvpJn2UinYikmMG/sLxNxV5n41bx0waMYIN3iIvfH0XKKdzAr8xs9ciJCot/irkXH4vlICwVmyBfBP/SwFaAddrPb8S2SvH47PclfIEpVqHT62puvBPYKyFJupg+iFRy+9VbMSyvofgWrMeVckz8U6caCNQ9fYgK4JDO8QOCf/md1i1Kq6h/LCD7UMLZuWzGd1yZZIvBXPW7BfeSwoFNRQlHAXyARBXX/RuKCB41WK9yN4wbcUSIIJX1rlrxp6MoMVPy3ujmK7MpuB2wm2mO2AB/j9aE/WFFzKoYDKXMwByhR1Pi2GNftDtMFBX9NIWMe6v8Onz1DaRZUaHzPWPAgPEGxJFAxhGYmNtx5X2FURCqUnDmXrnbfEjLjkqGMucoHcLiwL8761QpVNWGV8lKNE1wq9YRuCE6OGjhcCh/RaVAP0eNlfSwRorLBznkF0Fz/xSwgfUed2OPWjYNjulnUbsabZenfF3b5d9f1THIr00SLsnyg3SII73T7GdWvurYo5h/1ENCcBjkUqSa7rYUVHIFf1b6yDimjaDtwAgWwH+vDmT/hXUW1/u8u/es/cf70TAanJ2t9IyGe5dUxcnUHkynGcZff7Y5gKytxBvmSk3ZPZkC44NGh95hl657TcyKiFsZYY3OPMT47xRR2pPkoWG26Z9wSvU0St7dojw7YDZY9UiQ8ttzMQ17DryFzuvkOGs4NkIwjFj7NJ72juBUuHF+RaJbco/ZThG2k+De2K/9S/u1dQho3J7Rd0oKYU5UY3VdCjQprV1OiGCXzQyBMngv/9QRJCxkPc/xk7ExmG3h4pqMQQi24gt3VwNDayvdl0DqY+YHi+1AOlyx50Z2peAtC9ozIvzK/ug1xi7/7bebwUfuSZJm+O8SLJ6VUkcAh+fDI3vmVwkyk2zw3ZMdCjuBvuzj5TpsMR2yHKznBgAf2tPokGwV4P+ZR792RqNANytgiFF22m5XgSEdlzfbtzGlqBkYJBj7o3P4cfP1T1FRPPqi6tjRGSQCX3XHK5V1JV4qSkEbSnQJm4zXKRlL4rkw1qe1ksOPYOn/62xr0v2mBFLqpiLO+T2WXSbphFqoKDCILBNyP7mdD2ogjwgprPZ5ZZQ1SBuhxppDok7L5cPRx/PAa85+rmoUSJehKcORS1wK6rxauMJ0aWLP+j15qdsBplTzemy2a3Hb0ORewDDLaL7uMCTQhebJ3oa+ScczpD6eaEumYF8kW9UNqMp4Bw3cBkMYuLfaPfzpHWF85sIZrGZhQGryKzwow5Vb0pRn3ZzOK9jnna6o= /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Emails

[email protected]

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

busavelock96.exe

description pid process target process

PID 2796 created 1416 2796 busavelock96.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4716 bcdedit.exe
2944 bcdedit.exe
Renames multiple (7573) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2328 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4116 wbadmin.exe

description	pid	process	target process
PID 2796 created 1416	2796	busavelock96.exe	Explorer.EXE

pid	process
4716	bcdedit.exe
2944	bcdedit.exe

pid	process
2328	wbadmin.exe

pid	process
4116	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

busavelock96.exe

description ioc process

File opened for modification \??\A:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini busavelock96.exe

description	ioc	process
File opened for modification	\??\A:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini	busavelock96.exe

Enumerates connected drives 3 TTPs 28 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

busavelock96.exeexplorer.execipher.execipher.exe

description	ioc	process
File opened (read-only)	\??\G:	busavelock96.exe
File opened (read-only)	\??\H:	busavelock96.exe
File opened (read-only)	\??\K:	busavelock96.exe
File opened (read-only)	\??\M:	busavelock96.exe
File opened (read-only)	\??\U:	busavelock96.exe
File opened (read-only)	\??\V:	busavelock96.exe
File opened (read-only)	\??\Y:	busavelock96.exe
File opened (read-only)	\??\A:	busavelock96.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\Q:	busavelock96.exe
File opened (read-only)	\??\X:	busavelock96.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	busavelock96.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\O:	busavelock96.exe
File opened (read-only)	\??\W:	busavelock96.exe
File opened (read-only)	\??\B:	busavelock96.exe
File opened (read-only)	\??\R:	busavelock96.exe
File opened (read-only)	\??\J:	busavelock96.exe
File opened (read-only)	\??\P:	busavelock96.exe
File opened (read-only)	\??\Z:	busavelock96.exe
File opened (read-only)	\??\I:	busavelock96.exe
File opened (read-only)	\??\N:	busavelock96.exe
File opened (read-only)	\??\S:	busavelock96.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\L:	busavelock96.exe
File opened (read-only)	\??\T:	busavelock96.exe

Drops file in Program Files directory 64 IoCs

Processes:

busavelock96.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\ui-strings.js	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-100.png	busavelock96.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\StandardLighting.hlsl	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui	busavelock96.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-100_contrast-black.png	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-150.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-16.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Fonts\MemMDL2.1.85.ttf	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-200.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30_altform-unplated.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-tool-view.js	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-200.png	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\ui-strings.js	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-100.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\dark.gif	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-200.png	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\ui-strings.js	busavelock96.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\nl_get.svg	busavelock96.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-100.png	busavelock96.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png	busavelock96.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\How_to_back_files.html	busavelock96.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\splashscreen.scale-100.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-24_altform-unplated.png	busavelock96.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-100.png	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js	busavelock96.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\BuildInfo.xml	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\sat_logo_2x.png	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lt.pak	busavelock96.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-200.png	busavelock96.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxMetadata\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-125.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\View3d\3DViewerProductDescription-universal.xml	busavelock96.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-125.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-64_contrast-white.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-200.png	busavelock96.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar	busavelock96.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\[email protected]	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Dismiss.scale-64.png	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js	busavelock96.exe
File created	C:\Program Files\Google\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Star.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-400.png	busavelock96.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-200.png	busavelock96.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3108 1416 WerFault.exe Explorer.EXE
4240 4668 WerFault.exe
4392 3004 WerFault.exe
2916 3796 WerFault.exe
3664 3180 WerFault.exe

pid	pid_target	process	target process
3108	1416	WerFault.exe	Explorer.EXE
4240	4668	WerFault.exe
4392	3004	WerFault.exe
2916	3796	WerFault.exe
3664	3180	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4144 vssadmin.exe

pid	process
4144	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4124	taskkill.exe
1128	taskkill.exe
1756	taskkill.exe
4384	taskkill.exe
4784	taskkill.exe
1932	taskkill.exe
5012	taskkill.exe
1976	taskkill.exe
4828	taskkill.exe
3152	taskkill.exe
1192	taskkill.exe
3584	taskkill.exe
1224	taskkill.exe
1292	taskkill.exe

Modifies registry class 36 IoCs

Processes:

explorer.exeSearchApp.exeStartMenuExperienceHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001002000000014000000494c2006200024003c0010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004002000001002000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060a0a0a0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060ffffffff60606060000000000000000030303030868686869999999999999999999999999999999999999999999999999999999999999999babababaffffffff60606060303030300a0a0a0a3c3c3c3c9e9e9e9e9999999999999999999999999999999999999999999999999999999999999999babababaffffffff606060603a3a3a3a999999996b6b6b6b464646467d7d7d7d8c8c8c8ca6a6a6a69999999999999999999999999999999999999999babababaffffffff606060603a3a3a3aa6a6a6a69b9b9b9b7d7d7d7d6666666666666666666666666c6c6c6c8c8c8c8c9b9b9b9b9b9b9b9b99999999babababaffffffff60606060404040409f9f9f9f8e8e8e8e808080808080808066666666666666666666666666666666666666666666666684848484b7b7b7b7ffffffff606060603030303097979797808080808080808080808080787878785a5a5a5a66666666666666666666666666666666666666669c9c9c9cffffffff606060602626262687878787808080808080808080808080808080802828282820202020666666666666666666666666666666669c9c9c9cffffffff606060601d1d1d1d4d4d4d4d535353536a6a6a6a6b6b6b6b40404040101010100000000000000000202020205a5a5a5a69696969a0a0a0a0ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d3a3a3a3a00000000000000000000000000000000000000000000000063636363ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d484848480e0e0e0e000000000000000000000000000000000000000060606060ffffffff606060600a0a0a0a4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d444444440e0e0e0e000000000000000000000000000000000000000000000000a0a0a0a06060606000000000000000000000000013131313131313130e0e0e0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056565678888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c33333348888888bf6f6f6f9b2b2b2b3c888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf6a6a6a953737374d888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf808080b4888888bf888888bf808080b30909090c6c6c6c97888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf787878a8111111186f6f6f9c888888bf888888bf5e5e5e831010101711111118888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c000000000909090c4d4d4d6c888888bf888888bf888888bf101010176363638b888888bf888888bf888888bf828282b65c5c5c81696969934545456000000000000000000000000011111118888888bf888888bf888888bf6f6f6f9b0808080b4242425d4f4f4f6e4c4c4c6b111111182222222f1515151e000000000000000000000000000000000000000067676790888888bf888888bf888888bf838383b96a6a6a956666668f6666668f777777a7888888bf3c3c3c5400000000000000000000000000000000000000000909090c565656786767679056565678808080b4888888bf888888bf888888bf888888bf808080b40909090c0000000000000000000000000000000000000000000000000000000000000000000000001a1a1a24787878a8888888bf888888bf676767901a1a1a240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400200000100010000000000000900000000000000000000000000000000000000000000ffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000fff100008000000000000000000000000000000000000000000000000001000080070000e0070000c00f0000ce3f0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000f0000000000000000000000000000000000100000003000080070000c0070000c0070000fc0f0000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000000000000000000000000000000000000000000000000100000008000000200000000a0000001401000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{B1DD180F-8344-4920-92A8-76A90C6EA00D}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133328607518844181"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fdc000000000000002000000e70707004100720067006a00620065007800200032000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001e00000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000a6e96ffb29b4d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e70707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001f00000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000af50f6fa29b4d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e7070700420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007000000000000000000000000000000000000000000000000000000000000007b52d8f1a9add90100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e70707000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e70707000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e70707000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e70707000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

busavelock96.exe

pid	process
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe
2796	busavelock96.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	1128	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	3152	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4736	WMIC.exe
Token: SeSecurityPrivilege	4736	WMIC.exe
Token: SeTakeOwnershipPrivilege	4736	WMIC.exe
Token: SeLoadDriverPrivilege	4736	WMIC.exe
Token: SeSystemProfilePrivilege	4736	WMIC.exe
Token: SeSystemtimePrivilege	4736	WMIC.exe
Token: SeProfSingleProcessPrivilege	4736	WMIC.exe
Token: SeIncBasePriorityPrivilege	4736	WMIC.exe
Token: SeCreatePagefilePrivilege	4736	WMIC.exe
Token: SeBackupPrivilege	4736	WMIC.exe
Token: SeRestorePrivilege	4736	WMIC.exe
Token: SeShutdownPrivilege	4736	WMIC.exe
Token: SeDebugPrivilege	4736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4736	WMIC.exe
Token: SeRemoteShutdownPrivilege	4736	WMIC.exe
Token: SeUndockPrivilege	4736	WMIC.exe
Token: SeManageVolumePrivilege	4736	WMIC.exe
Token: 33	4736	WMIC.exe
Token: 34	4736	WMIC.exe
Token: 35	4736	WMIC.exe
Token: 36	4736	WMIC.exe
Token: SeBackupPrivilege	2388	vssvc.exe
Token: SeRestorePrivilege	2388	vssvc.exe
Token: SeAuditPrivilege	2388	vssvc.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe
Token: SeShutdownPrivilege	820	explorer.exe
Token: SeCreatePagefilePrivilege	820	explorer.exe

Suspicious use of FindShellTrayWindow 54 IoCs

Processes:

explorer.exe

pid	process
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

explorer.exe

pid	process
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

StartMenuExperienceHost.exeexplorer.exeSearchApp.exe

pid process

5028 StartMenuExperienceHost.exe
820 explorer.exe
2508 SearchApp.exe
820 explorer.exe

pid	process
5028	StartMenuExperienceHost.exe
820	explorer.exe
2508	SearchApp.exe
820	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

busavelock96.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2796 wrote to memory of 4852	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 4852	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 4852	2796	busavelock96.exe	cmd.exe
PID 4852 wrote to memory of 548	4852	cmd.exe	cmd.exe
PID 4852 wrote to memory of 548	4852	cmd.exe	cmd.exe
PID 2796 wrote to memory of 1620	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 1620	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 1620	2796	busavelock96.exe	cmd.exe
PID 1620 wrote to memory of 2784	1620	cmd.exe	cmd.exe
PID 1620 wrote to memory of 2784	1620	cmd.exe	cmd.exe
PID 2784 wrote to memory of 1932	2784	cmd.exe	taskkill.exe
PID 2784 wrote to memory of 1932	2784	cmd.exe	taskkill.exe
PID 2796 wrote to memory of 3188	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 3188	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 3188	2796	busavelock96.exe	cmd.exe
PID 3188 wrote to memory of 4988	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 4988	3188	cmd.exe	cmd.exe
PID 4988 wrote to memory of 4124	4988	cmd.exe	taskkill.exe
PID 4988 wrote to memory of 4124	4988	cmd.exe	taskkill.exe
PID 2796 wrote to memory of 4788	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 4788	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 4788	2796	busavelock96.exe	cmd.exe
PID 4788 wrote to memory of 672	4788	cmd.exe	cmd.exe
PID 4788 wrote to memory of 672	4788	cmd.exe	cmd.exe
PID 672 wrote to memory of 5012	672	cmd.exe	taskkill.exe
PID 672 wrote to memory of 5012	672	cmd.exe	taskkill.exe
PID 2796 wrote to memory of 2108	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 2108	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 2108	2796	busavelock96.exe	cmd.exe
PID 2108 wrote to memory of 2264	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 2264	2108	cmd.exe	cmd.exe
PID 2264 wrote to memory of 3584	2264	cmd.exe	taskkill.exe
PID 2264 wrote to memory of 3584	2264	cmd.exe	taskkill.exe
PID 2796 wrote to memory of 1484	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 1484	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 1484	2796	busavelock96.exe	cmd.exe
PID 1484 wrote to memory of 1752	1484	cmd.exe	cmd.exe
PID 1484 wrote to memory of 1752	1484	cmd.exe	cmd.exe
PID 1752 wrote to memory of 1128	1752	cmd.exe	taskkill.exe
PID 1752 wrote to memory of 1128	1752	cmd.exe	taskkill.exe
PID 2796 wrote to memory of 2916	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 2916	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 2916	2796	busavelock96.exe	cmd.exe
PID 2916 wrote to memory of 3120	2916	cmd.exe	cmd.exe
PID 2916 wrote to memory of 3120	2916	cmd.exe	cmd.exe
PID 3120 wrote to memory of 1756	3120	cmd.exe	taskkill.exe
PID 3120 wrote to memory of 1756	3120	cmd.exe	taskkill.exe
PID 2796 wrote to memory of 2012	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 2012	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 2012	2796	busavelock96.exe	cmd.exe
PID 2012 wrote to memory of 492	2012	cmd.exe	cmd.exe
PID 2012 wrote to memory of 492	2012	cmd.exe	cmd.exe
PID 492 wrote to memory of 1224	492	cmd.exe	taskkill.exe
PID 492 wrote to memory of 1224	492	cmd.exe	taskkill.exe
PID 2796 wrote to memory of 560	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 560	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 560	2796	busavelock96.exe	cmd.exe
PID 560 wrote to memory of 4768	560	cmd.exe	cmd.exe
PID 560 wrote to memory of 4768	560	cmd.exe	cmd.exe
PID 4768 wrote to memory of 1976	4768	cmd.exe	taskkill.exe
PID 4768 wrote to memory of 1976	4768	cmd.exe	taskkill.exe
PID 2796 wrote to memory of 4112	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 4112	2796	busavelock96.exe	cmd.exe
PID 2796 wrote to memory of 4112	2796	busavelock96.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

busavelock96.exebusavelock96.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	busavelock96.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	busavelock96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	busavelock96.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	busavelock96.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\busavelock96.exe
  "C:\Users\Admin\AppData\Local\Temp\busavelock96.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:548
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:672
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:492
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:4112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1888
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:4980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:4940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:3772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2972
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:3076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:228
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:1492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:3136
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:5060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:60
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:3940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:2704
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:4540
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:880
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:2216
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:4224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1056
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:2848
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:4976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:4788
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:3852
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:544
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:3328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:4712
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:3968
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:4572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:4536
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:1484
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:2888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:4848
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:8
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:2916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:3956
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:4812
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2180
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:4512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:560
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:1224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:4648
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:4636
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:1812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2448
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:1784
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2440
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:2328
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:2448
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:4400
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:2512
- C:\Users\Admin\AppData\Local\Temp\busavelock96.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\busavelock96.exe -network
  2⤵
  - System policy modification
  PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1512
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1416 -s 8312
  2⤵
  - Program crash
  PID:3108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 1416 -ip 1416
1⤵
PID:4492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 4668 -ip 4668
1⤵
PID:5060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4668 -s 1492
1⤵
- Program crash
PID:4240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3004 -ip 3004
1⤵
PID:2856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3004 -s 840
1⤵
- Program crash
PID:4392

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3796 -ip 3796
1⤵
PID:1924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3796 -s 904
1⤵
- Program crash
PID:2916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3180 -ip 3180
1⤵
PID:2932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3180 -s 456
1⤵
- Program crash
PID:3664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak

Filesize
1KB

MD5
28b36caa09f44cdbb7742f4b29b95481

SHA1
1da4481c5d4d0d2556152dfdf816f9d8b1b24990

SHA256
16f5322bb89b9e247b508fae5908df4592dd0866e4dd490bb03af2a36a3545ed

SHA512
650e61d85566e7702328967d2fa37bcb09e7aced6181b59e7b88c862f01af27c2ede4d1a10cbe2e7d2042452e0fc7162e7a09ac96bc8bb19f8655182fe7e25f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
7733cf47a9e4ad2d8b61fccf2767c42e

SHA1
29f8a2ed80d5aba17d7b4547b0e248123d04714c

SHA256
f0cdcb47ba8c63ebaeba7b5d1b3710eb1bb07f7a96a343b9819778a4b89855cb

SHA512
55c57ff1a9a6ea9ee38d764fe61433ed193192ae9c937f9c35906a8beaa4f1d919f9466a34ca2b8f7ac7ba465a53820e70c0c3bb4deb27519755ca611af9ac80

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg

Filesize
2KB

MD5
cf55b959edb1cc14459f2e1fc701bcdd

SHA1
ccfeec223a188f844b08ed1d46b16f1310b43ada

SHA256
5982f74377d3d6b3a1bd38ca94cee0045397003de917a04e095d90e3afa4aa2a

SHA512
205003329f40e4afd0d7dd4d356198f52298391e34bca834258e6370265b773b427af556d22717338f71a9ecfafcb8fb11b1659744b5728f854f804589ae76d9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

Filesize
3KB

MD5
a8996afe04a608282456eb122c568333

SHA1
977ae0b4ed84ca96b1c6a6696cba8f5585928019

SHA256
513e9bc80edc0372b0eacd3179eba0ce76db9a354928445d75c090fdbb93cd65

SHA512
e11d2e3989e2f7768154dc2b11428e06f37003c9f4eec5c126fa7961413b2940b9a28f4b539a8bcc808f2d2972dc817e8dbbea2dcfa00d0fa0f7a9cb2cc8fe8f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

Filesize
5KB

MD5
3dce64544a836d7339ecc5bdc589a2f0

SHA1
18cefdb8578e5fb2499a6138c3d6d50a52b14d35

SHA256
e14cf320469f68e10a9f1835f2cf8ee066aebacf496a15a829c3782e1b79d495

SHA512
965ee7e1bcda20c1545c0673c7efbcad2260d7bd8f81f9799496cf20556a8356e6ed53912b0ac18a97509e9c7f8ab81354f893f998fb366ea805171adf534cc2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg

Filesize
2KB

MD5
f7a97b9058423356532fe82270123912

SHA1
a7f4f351f3e9cb0e5635e78d425506c72437ea4e

SHA256
38adde7e50c698a9a7bd67c90acf8bf2a455ae8a3c47f687d358a04cbb4338cd

SHA512
473125d86887ae98e02ebc55d9a2b619f11b06af5507f9731198373106e48230492a530808c99db01d6d511ae9ea000c20a7521c1e15fdaf75ad9aafa764b2ed

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js

Filesize
5KB

MD5
8741ce084c9c0ac849b6adac44990978

SHA1
cb8bb7494e4fa4da030541ec2369007de72fc976

SHA256
cd27910e6985797c0af2dc82f90d6206c22ed86810936ea31098baf51127eb2b

SHA512
7cd4a79caf1c7a72d33fcac7ff612b570c457667387e727cc6fdd62c5b4372d2034df2c4ebd2910357c5d810c8b5abe584aba9351b6ad2ffb99784d514b18d4e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js

Filesize
29KB

MD5
b66e3a41fad5246d4f1897d20bb00ebd

SHA1
7393b33de1786b58fe3eff647631a7850d46b4bf

SHA256
e4128f689d72962a6e7c48bf0646e62b09a8288fee8bd5dffe2d2a96d3ca6e7a

SHA512
4e6023e3c506cdd5b51ad74fe2472e51e43b47771f9717a42d7cea32f58cfed1c842da98e00876f2c568b4604e19059a1cbd63546a99654e955041163d4558bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

Filesize
9KB

MD5
165ee03b4c82df4b9958d803add3192c

SHA1
6527be7d849d01f4ee66d29adde55ec99a0487eb

SHA256
11bcc778f51d95323fb100a311820241c0ad2d2f8c8f4b677b22aa473246a788

SHA512
fe37f10aa60de720e3aa1c25b98ddae79318c89acafe36e8eb91617d6ae20b28a02189779ac04a0fc1066da87b0954540026818b2192330fd8a5b2e9ec330627

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
bf36cd9d3975037061fcefc980e76503

SHA1
de0dcd184d9e37604ffbe3410a4a9e32cd2cb939

SHA256
1d624cc3ee6d5c79f9761eb054d8bcdb515c60e60c80ac1fc571978d404d70eb

SHA512
39ec613f0ae8a85f9d2ab226808bd3443fb07496d9a2965c0fb78ff56c0f5243a1c09ee620f30440e1107186c2fb7a8aab297a6b0a1706b6280c5dd801fb72dc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js

Filesize
5KB

MD5
26356939a86fcdf57217449c92b2a234

SHA1
2b833168f9ad7618e2728d5c63901fa6b8828091

SHA256
d4b0359d863719a506a055ff0d502882cbf570e02f557cde8dcacdaec9c30c02

SHA512
ca971d99bd03170f745d93aaa7da55fe5fc4447cee1921e36808198ab51354ee7a09ef3092f85c2345a238f65f5e4516606bc10116226afde43594c76e623345

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

Filesize
3KB

MD5
d85b8f2d500e83fa8d5d72167f16289f

SHA1
8c6af23bea01fc0cf5ed850cd06296da541363d9

SHA256
0e074600b0f1ed5b563e93909489db20fd9032ac312e3baeea480be5b3b742d8

SHA512
66010f58cb52ffd8b0f837d86e0c23fa9e39cc36673b5069141019134e9e947e530d5d288d0747acb4ba789c54f792424060b4ffe6c5a5f58e657e0e2e07b162

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js

Filesize
176KB

MD5
f59db4b588d7ca6a19b730ce0b67530d

SHA1
6d0220b6192c9d9554315f5b705a0c704ced0e67

SHA256
2174e2152b1a4ad60f8c0c604a66d78a880215a9696cee31b944df0e268ecccf

SHA512
62c71a71ac5d1fb3ed6af945c1e8a65c93a24eb73a6bcece7cc44cb7d360ccfb0c9f0c515dbbb2a63c4161e3dd7349369936254c14ea91376963f4a717862cf2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
377KB

MD5
d21eee077cdffd3c632ad438c24b5a21

SHA1
b4d4968bdb59e25a71f64cadbfcd8ad0b00bb596

SHA256
c09f542b4bfb8015e9264f6fa5670b1b51cdb7a9c8033babbf416a9704031ea0

SHA512
b412961e12e65e84674c91c41cf46e0c2b3e7279877614d18643bdeb69f15660e1aef69a5b99a69ce19e0b0e0769ecc1fc685e1fcc0ecb54747f604db46efcde

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js

Filesize
4KB

MD5
8ead7b01ebed30bd8f639740022e12a0

SHA1
c6ffff6451f7784b00761a8c910771f4adbb3fe1

SHA256
3aac6103045753125021f64c4b43368f567c5a783d2c3d95c36b72a850a429f7

SHA512
b307541324247029a67e7942aeacb055d1dafae0708dc8dbdd3566b0ee94a1e44350aab055895332d5030684c3b670dd1cbed6ef6c527541769e2aeb66363298

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

Filesize
2KB

MD5
481a78da55e5df98bb48323844b8b666

SHA1
39387016016ff66006f5a5a77854157affb2834f

SHA256
4705dadebf85a9652161bc61db2751d360d0d29e59f54469d688e810d4314828

SHA512
7ced18e19ea679897c8ff455b10ddbb639d300f24a643c0392ff986de4f98701dc7fb59d9070df4fc20e167f79c7e5caaf6c15955bdc6662bf7396af75959a16

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
9fb39323fdeb3dee21a70f40623f1427

SHA1
f79c9f65269d8f613c054525e554fc606ff290d5

SHA256
c78caaa36b4c3bb9958369eb076e1cff5938f7e3773a5115c340756eacd2d67e

SHA512
fd5e69f14d399412b5048087a1ff5bf3c9e272862076e2d44b70b61034115c682bef436ded1c55db2df9ccbb270ff9572f89c8bf5cc58b3c235e9875fceb43ce

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
e4cdcf78a19cc4d3ac849d208121ea03

SHA1
8580324a645507de9c9fa47ddfe018ff26589974

SHA256
e48585d0223b65c02c57e3cd6d3216674ab3a1b2a444e85d82dc2d7326b7e5ea

SHA512
22e7b64d4a4c0e4cbb50946e9aa9e47a1ffa78f7b20dbcea03a6ad9947b4085c19d813c94bc424dbde971bf6b5f0affcb59a3b296cd8cb2a5b82424947582f10

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
d82a6ad0a2d6a72f158759af65153c40

SHA1
2c682b6235b3f2fe1bd47e40c6b547a1caf9b83f

SHA256
ff7585a320345f8d8330af977c83bd68f6dc47b93a6283a1695ab43f8def71d2

SHA512
5b94165e6c20a37e56fac69acd721f823815d1c08cdfb45d4c186c1d22e117b0d6fb2ee895f0ad3c294683df636fd72d2d66da60a5fc3133e6fa24d83a677643

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
bccb32c6331d04b51c74007fc0ea428b

SHA1
d8f0a1054cea9cfe657143b3f9d8cebb4ec94264

SHA256
d4d1c4418d03a5b47966d8e32f27f9ee4d20d90fae176c394e9519f22cbdbe3e

SHA512
702dac7320349ae7a64536bc0f453a46727889bb8577a331fde552661979793fbabf5d2e87a7e6ee67a01d293a962c4f40d9e1a4547be23ddb47b6dedfbea104

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js

Filesize
10KB

MD5
f4e0d51abf4f39d7e16fceb95b6ee39c

SHA1
3bb967f37bfd5873c176bb66adb54f96b21501b7

SHA256
6c3c77eaac16e0e6b21ec790e46eb21452acefa3b128ecaef291fbf2a908c87a

SHA512
a30ce89d9a1b0d30769044af7dd3c77f05e54d0b5fdf428616a40de512c6ae414dad428fad57fa1879bea71fda2ca186fea5ae3d6cd9182bfda62f16542ff4f6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
cba7c3f93713a24cd61d8e6e299956b1

SHA1
8141238058ca754a682c7d5c0fd079516f3e6e8e

SHA256
1f42aee0483ad3892cc12d842d02d2c2a2d81a2d860b7268de7bfcac499b8964

SHA512
923e214d0ad626b7b919110fa8d69889f0051cf38909cb04e0b69d3ba1bd4c8f81a3789c9dc7a91927175f5743f131759a419a3b4e6f99379d8b99f707e9c52f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
662baa52cd9f2121b2d8b10ba6e5c9ff

SHA1
c3990480489be9e843af7a3956fcb5a22bc474f7

SHA256
8eebc50cb5229c21dec876dac82302060602925e50e56ce54fab6bf653d2ddcb

SHA512
bf9a5a68bef906b1bcc7c8e651a34d46fcb246a5094d50436222f313ef9620edcf64fded308bda0201e418b21af23884e5770d95028cca211992c42272451bab

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
0d5c2d285d83ed8ca121fffad1c4e6c5

SHA1
8ca07b20b95eb2b06411471d9b0f4f6e0af7198d

SHA256
7469bb229c6618112166ad5592f55aa6a7ec34398b58bd84cc45a5a392813b1b

SHA512
4760f61c0575fda0b3823d9b24e0a8bde15a26f4864b5137f15349f91793f559daac39b270ca424182a73c14c6bea551a0160cadd3e741bc972ce82ecc604433

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
72be0e35ff11dc5b18df78ff50fb3b08

SHA1
b1781a27afa71fd4e9c7e24c572eefd9ba331236

SHA256
c434e089cf58c079bffae56d54fd53ef6d402536c80aac6cc11a5c0fe2eb7b9d

SHA512
299c379b519737bbfbe74c63ea8ac2c7a26e481888f396bf6cd6884549ae15570b6fd2acbac8bb889a3e7683c48206be11409fab36370f5b067e53028f693b27

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js

Filesize
2KB

MD5
3ba4325ab8f63038403fb6af0ef3ce46

SHA1
3b96b76201ff6d2af99c8e8f921e5b1d4a3dbfb8

SHA256
49111d0d5d3b14f8b88d3fdf7ddc75fab4647ac3b1bdeebec83b959ebedd87c4

SHA512
c3f637937b4ae5b7b1b26d7a8e5ce1e9395752faaf20299833432df0e794d4ac1dbba80a323269d591036b002740141d22f3bd3736834d32a4428a2979987bb9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

Filesize
9KB

MD5
acb7e7435d698819e3cc7379fc1d6d61

SHA1
50bfdb3d1d05cb7aa184c24fa67c29f613955ef9

SHA256
3a2d98e09c307b6799438c0fb559057263f1d91c85edb6254358955939d447d2

SHA512
86ae37ae05cfa5c5a122750d58a3188094b807feafde7241e5072d41ec2a2b3c38ab15270415acadac8febd2f2201586acafcb670b802d4b74a89588ef1ebf93

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

Filesize
9KB

MD5
30a7f3ac5b5d4be239c2d8325be50742

SHA1
4cc3b837378aae1360f42668a0d8dd08e5346092

SHA256
ca3f819443e6838bfca5831dabdee78371f3df8fc10e978a1239e215376f33ed

SHA512
67cf4950a0e482143899b1d2e8b58e3a3145447929d6726de83a9e53cc2996a6a0fcf907212c661b3856711ef5f0366258cd34268ffde9fc63abc026f44f41c3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

Filesize
16KB

MD5
eae2e7edcf7fbc2d6782796420c192e4

SHA1
2699dc2cd6d4050462940da396c28fe0d68edc33

SHA256
21bc26c2297e3cfbabd7e3df5af8edbd0a70a8f96c7e37b507f9796c317eb3fa

SHA512
74d262778f25adfd07f9fa74f63adb5dfe480e0f60f2925410a281cd10c1d0d9b28d9c713490d77a6f813c8d091f591aece2e840dfe83811530f064dfcbd2a50

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png

Filesize
9KB

MD5
5875fdf3ce5ce84f95dd2b3a7276ff09

SHA1
0c0e9035ccdab097c449f72af61a489245884d90

SHA256
f4eb3299a7f4ac1bdb05967ce6f1d5304157089c3e26816dffd09dc6d6b7ea0e

SHA512
50add64233016509816a3f1cea43d647ac73f01b78aef26f8e5540890b30bb93d49a85734dd6868309a9134125b0339f007c33ee60f3cbf79edb35bde52c600f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

Filesize
18KB

MD5
6279ccaf5c5cfb73335f00d91f701a5d

SHA1
fc32dfaa3eff1cf4c119085b5eba1fa2d571c9b9

SHA256
8ea3810ee153eaaac861ae958473c197fda9c77c0d7b3931ec30c7cd9f6377ea

SHA512
bf9dd67dbf3e4a4fcccb4fbd12c8180dc9d4c0c33cedc0f9c79b791ae830229588621631e86f3798592f69a1933ad3ce5ecab31ad1c130afb7e80ad3ccbeb04e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js

Filesize
2KB

MD5
825b7b2e42b74615f5afa7089316268f

SHA1
d92116398a612239ef5b9c5e61ac4b6a32c15752

SHA256
602bea53646ca3492477493f2a85efc2a9c98f322058989cd933ad2ff13a43b5

SHA512
1fa683112b40ab9736a996ee069a90b31fe18c4e31e272dc48b719ab9c7901569c93917cc2e43bd697c06e646cce831fd4023fbb1914545dfcbb5e9964808a3d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main.css

Filesize
2KB

MD5
aa07223d1b4fb81ad5483c2e11663e32

SHA1
14ceca208de5e2bb30e2011ae41c28402f34bce6

SHA256
4aaa7648360e3615eafe398cbfea205467c332482614925612b110bd617d0fe9

SHA512
9aa38aa8b75108b0212fb7ad44e3631b1d45c56e9a3149910fe8c47f30d491e870a62defa1e5f844b6cc0defef8ab49c9ee2af0cee404477833e9f4b8e825e2f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
a331b4946593f95bb25021bb02046a0f

SHA1
911296c10d30c205c5721cc6c835ca9545a4f2d0

SHA256
0eb04541d12487d63bcbb0b1242e8576a5b2101bb448b8f497806865f6a4c283

SHA512
3a9d42f08496b8f597eeee4138e57b0881b14c033133e8e0b67586d9cc76b2bb08fc79cfc6a3dc958baf1d882bf0c80435835f2639ac608a69275e8fd60c0d9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
8a8d626e05935a8f1424397744251bcd

SHA1
c2145f6a8ee12c25e5bcf440e400efa4edf7bb4b

SHA256
7799a12cdbcc453d1240bbf3dc0fd811c2d93c66bfae766045cb17fbb2c91013

SHA512
45c246b69af758cd23175589f6ae925b945566d8bec49cd8a00a1a9c498dcfc4ad7bd50761715403c3cf75b9bdc3f0cc11f7aeef993bc4787c88521189e02bbf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js

Filesize
2KB

MD5
f2f8e441493b5172a4b2632f8de28657

SHA1
83a2900d465dd8aee63b1136797585f652f87088

SHA256
a4a53aa69e64d8d6018bf29b24947968e324707411a5e9e988f336eea2f6d3bf

SHA512
43a50c0b98e0e041a6b7ab267f7464d0abe43feb9b831effd5392a9f7b04b05382d6c9d035768d1081f6165d4dd40df92b13073d621050d5d666781da06f1ef3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js

Filesize
2KB

MD5
36b861ebadb902b83ac13e77d9453e34

SHA1
3b69efb7e5ef826cfb1869854d824efb088672f8

SHA256
9b705e01d353b5afe8c3c3d18dc0793fe62aea5e8e589d17783e7b7aa2d3fa34

SHA512
e07e916b82de90f58d009537c41ec04b7b7e7285e25bf92717f3dd4d2894d6eb7488e4a56b2b0b2d6bfcb2651b3009a5dc2ee385a0b7a5e407cc43e65372e615

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js

Filesize
6KB

MD5
d2a0b0af0b23f60e4c3ddbb818b1b38f

SHA1
0837bcd7b93e1a7605b83baeb02146b60fa83213

SHA256
1e4a135e368e40cd842529450581cdb01dc28e1d37b8005d5cebf697bdfb066f

SHA512
d87b2cacbc69e9631f7496e665863bcef5c7117a83c0e7fa5ee6687f5c73fa118ca3351fac44fab748fd8162bf5eb360c4195319c50af8d86bfd648187901df5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg

Filesize
6KB

MD5
f8c6c0b5de40b7b9f74916b4a32f3d03

SHA1
ff0cad1bfa4a064902a8ba3bad51e678bcf66c59

SHA256
217150b187c98a13232916a497ce8710e591b23daf7a4a5115b0e946ac37c39f

SHA512
f09e978d1e32e8851b7c01b51ee77299468ab2b124c98c0937c066c4f7184697330669be35ff1ae9c538489dde64185752f6294eccfa970fe5624bc7be928c32

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

Filesize
14KB

MD5
be070ac3086bad4492555551cb2ebf33

SHA1
8b09da4495d7e82d24e345302be7d1cadf21515f

SHA256
75bc5466e3a3feee53662ae58146ef2b08d21ccc0619336bdf725633ee7a4ee4

SHA512
a1d4cd47027a755af01e7b9b781471756720792a65fd1e3a8cc14a8c9218f1e4393551029837d4191693abb4eb87c83872bf9ca05989dc62661ce6575a035ce5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js

Filesize
15KB

MD5
9315b785c709e9a4f633fcc4cdb5e4eb

SHA1
302b36ccaa6b39c0329d5d06bf5bd935233bc75f

SHA256
208c0c72cee0e4a7b31b5d0a53533441e84525b79187c0bb9be524da7a068916

SHA512
d9d772d735db137514f97ef582a68d6a83f0908248413925ea430e2688b1f763add248f5dde27deb68846a4de8606efeb2830bbf9ad5a70f7d0cc75d87cbc759

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
d7de5c8ce3de72cae0267d417a0928be

SHA1
30f4503dae328faacffa37d3dc324156d0d3bf4b

SHA256
83630c68f3811793284befcab58f42fe6b87b7650b414d831e95e920c6003195

SHA512
2edb0811a9d7ec763672d3769a9b4061ba9ac4eb3fb2eebce73feb765e64d3eb7d10884d62d1c0fd3942ad149170c950766fc0f9b7d57cba84b761ba9e7fb301

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js

Filesize
2KB

MD5
0166cc7fd49c577592295e65095afb17

SHA1
e5a277c2f9070d32ee3ecedc16239a42bda97e0b

SHA256
573cae7d2ab2c3ccb13c01b99195398f4a0a10a6204ff8fd9aaf3257db2e34ec

SHA512
950099e933bb3aba400eb0172e3258a1886af11c49f267bb9bf36426b6fc9e41b89bea040ca0a22e6c4de8a6007e44542b10bd20c6ba5ad011ca42e45725939b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
ade3c04c5db6e819b2166be62226c8d4

SHA1
ca724d182ad13ba86f8b21adc1d5c84239b93e5d

SHA256
928d789639ab302529120bc0d396eb14dbc7a705123fcf28f8fc036511afac6e

SHA512
45f0b2a5908e92a6fcd92310625ffe6e61d553599ee8ca5e051b88b2c1997e81d7837efb92f3f2392208e70de37ef2ae0978b3990f089d4442a1dc5a1bbf6595

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js

Filesize
2KB

MD5
63243eab093a71d66485058361b6778b

SHA1
a401efcb94d23a5bc09ca4f3393d181003407d04

SHA256
961c5ea99bf27e6f2938ada06be26ba10e9e28a4090db84e6d655faa1e24c51f

SHA512
b6fb1814062ed9822c1a2d2ac287078fa57ff185d090fc7a56634975d0417d237667929cc8e331e6d55159976324d3416b982c8d5315805aa3ad7e70fecf61ac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js

Filesize
2KB

MD5
5b27ed2afa5347f37edcde8280ff94c6

SHA1
8bc77fa5488cb96278b2679dc735bbf968479fc6

SHA256
0f30c3d55ff8d418db9ed5547b013fe24950c9122fe260a16b234343cb559928

SHA512
ddb024e903209affef0fe3a275a62fd1368c48ad37c9418765167febf1394b17720bd71b1bbb986e848353dcc1e07f95e8fb57a9b243bd6fac44266bfda6d80f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js

Filesize
9KB

MD5
66abf1ffb66cd4c82b6aaafbb57f8326

SHA1
48feadaac3a521bfe6cad200c92e5e7f4bcadc6a

SHA256
5caddabb7c2d8fbdb5210479d670e62451bf61b0c33ef8fbcaf9ea33c3bcd334

SHA512
3bc4a892e92cc211dbb2ec98367277278705eba588eb34aa32534f6441c78cbd87ce9f93089198949231e2285eba1e4889e223673e7328d250818f397963bb91

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js

Filesize
5KB

MD5
67b832cdce36f010082c1df93298cd33

SHA1
3fc74828710d946da018d62471fba2be1a7ba411

SHA256
246e78b98193d0ec7f6da1110e64dbb0cace24b8263b7a56ebafe2f8438d7692

SHA512
64da2802d4893ec8177706e0d1b4d7f7b8f80b138bedf51c87cbf4740d4281736b27670bb5206c5cf8ef78536a038bd7d03ec21238e7974f7aed0522cf1f5cc1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

Filesize
2KB

MD5
9e0ebe3f0d4b25ee6a8dbb09dff724ba

SHA1
1c3d574cdd236dfd9c157dd90433210d6605c5d6

SHA256
572f8dca0af20d890a38aa16e75a1cd002c6d0a6b812bbcea3e3f15701614ecb

SHA512
bf0161c2e24d49835ccbd8a75b80f10422404f6fd049a663316281163de40734da0b97be883050c47460d7e6d38a15e2ca2432483b2879d27e0b0cae7ba88974

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js

Filesize
2KB

MD5
cae228178a5d871f4dcad2b76d33b385

SHA1
8d4901464024960d1334db86d9286ff62c6619b6

SHA256
e4a327d25addd4fb8b938809373266c13190ff039a48b3c266e7dd0c9ceb12de

SHA512
1403172270a7fa21eda6b8e7796fedf7e3c298dd557b0d963a940b471f70df4070a0e37163c10f69096cb94191967451e8577036de2174e3ad035436f97db188

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js

Filesize
15KB

MD5
d56329dbbe402ff1c3ea59c5679bfd12

SHA1
218c55468ada3c1fde22763a5b39903012c098d4

SHA256
c3bfd37b600fe2a1345e0581408d920702c59d181efb7f7356cbeb2f74667eb0

SHA512
cf05f25efb3da50f17cee08dcb944cd64bd07359804c24d472732c1d22e37db1e3b6e80eed843da29fbdaeb12cb293e5b3553fa90c0fd37e5f981bc4437e7092

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
2KB

MD5
8f783960075b2163b2136d04fd02277e

SHA1
730215aea2ba4958d8aa99e826fbbea4c4a1107f

SHA256
681911851f8d33ffff1182397b20498941143b9e2794e111089bdaf1ea7f9a7f

SHA512
66c132e9430b7a60137f9c855090b2dce5a38c0523e44d05205e9a214b9b0dfeb532281f03837a661d1c20206e554501d816aa0cfa01acf487511d34d4b0b946

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
8c99c493dccb320645b673b741a1330d

SHA1
2f9ee01f63991910bea62db17657229f7e21a6d6

SHA256
4e25acba14195bddf7fbbed81e584238b0c7e32eaae6af4dc7ef28ac25530353

SHA512
6234e262b2eecb3f3bcfbf3bff03017aa486f5585a2dcbd29f3bdefc11922a01a7d8d53f2c2b28e4b541ee09f52c244fd9be7cadfbc6a04aa8be8368df460b5c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js

Filesize
3KB

MD5
d31bfcde8aed36ae6adb9c9421ea78fd

SHA1
380849c7e2659d4410b77de620299cb614ab84f5

SHA256
db235f5cd7a7288bbb159a98acef66953ebb712e3c8612e21097177d5f2e55f4

SHA512
62aa10ddec14f24991deb1d6778de0700a1ca784e69b3d9d9a0563c0371922ca8c7318c6ae35d41e11b5e0b62b646f1ea02703c768754dc207d209ed31a8557d

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
34KB

MD5
ec7cbabdc95fd452fe69774482da84a7

SHA1
bf256a25f8c70be399fb6a1878d1daae57355418

SHA256
988050962b73501c1155652f6ed523af76689cf1ce2ea0a341401f9ad7679eb0

SHA512
487524e507773696eda7e587b9f5ae2f3dc7b41f149b5c54667451c37e60b0ec7f61722c3ef4e5fc46ded511356f4db9341fe540ca823ba4fedd1fb46addab1e

Download Submit
C:\Program Files\How_to_back_files.html

Filesize
4KB

MD5
9c20f529410a7814d8e010dcc4ebeb12

SHA1
a68faae36c4885cea9c8d8a1ce62dacf1fb6430d

SHA256
dcb2874ba03e1abaeec84177a3da8c1a5ad8fd4d73e1ca029590ecd835aadcf9

SHA512
1299e1d78d2d58384f8ce547a0057eb6f4e58fc1520046c0aa94b78f9cca2a9de7b2b099fd7c0d6e710a844544b4d4871356341161ccf00030389f7670d5bafb

Download Submit
C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl

Filesize
7KB

MD5
978e2d840df2f258b5b4f273b69508a2

SHA1
5f8019d16794dc9fd316f60f6d4c08f016289701

SHA256
f498c408d47293a4c4d495d7813adc0006aeb296848ac2218d9e1a7ad53b4458

SHA512
59568fe5de9a52227020fb09100a795b14db7490a5947889840a4cf5db0076b2b93804f0a93d4d8d6247b5172595c6122aeaf4349172bdca486a1987a5d71491

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
1ce994cc964e3001baa052dfcc3ffb86

SHA1
69adef823e8542651c75829eb991e7859050b071

SHA256
edc79b7300ac787eb8caf5d0e68b9ac97a870b304b823523c3ed760f34395a49

SHA512
075ab29fcd6fa9cd2cb4398488b793c2e5b7725e6914a9459611a0a96b61141e8632ef4ca7094b1cbba48a80888a1d60e103ad879e46c07771db7936b3a08462

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
472383a7fed4cc8220e28ce93e209bd8

SHA1
ed4c318b6f9d9039de8ff1897a7d88e407580fee

SHA256
98587b8be865d0a7900622724e66883e965517ee966725c998029006935b36da

SHA512
8b594c0af61644e345f9b6f9559389c9c1fb7e1fabbcc22470d58b284ddf3fc42034585551519c4dd13b564838a5a7874ab210a5c02927ca0ca2f7e12773a76e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
16d0ecb7466143e6938287e98aaa76dd

SHA1
f5d3d81a44832d5f56360c93d3a16d700a0c9d4e

SHA256
9c5f497b2bfb0eb382d165186622fa12796311d36ca4ef022da83c5263dd29f0

SHA512
c4087dc06e4c3bc73e90891af6a181c4bee2e85fd2d5c044dc86b73d652bd891207364a290d2d94a1bab51ca1986790d454a393ce03e04854f783cb9e809bd1c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
96674fe6ee6d0ff6210056d289485c5a

SHA1
89e7613cfa7a628846c1592a2c65fec51712926d

SHA256
7f0093c58a1caa6a0d5167978a63e3de421dcc86b4ed4bb9e24cb0a2c667bc82

SHA512
57e8f635ee39394c74d36f96aee4719963d976fc706b594c0a151dff1abc326bff1e4c8f4a0181b15b8da1b65bc3b79dabbe82cafca72ce3b994b81204debe45

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
4f7f46162a282cdd92c9738a6293eb83

SHA1
e025c0ebce3d120a0857105a0df6db4cab97a575

SHA256
9b606651aa19f8bcce8c3e4636c909b27d6413226a31692af08cdee923d5915b

SHA512
34cb0dcfb12e09623b13806f36f77c5bcd677858b8c3207ece50249601b8f14afb0cf8682b670e7d9892c5601d1d606e5d455e110e02ab0ce22ded60d96de3d9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
d0c64212d36d8099b4fa1454bcdfb993

SHA1
870649a307e5a13417ea6ecfbe70d6d072e3a5ef

SHA256
aa9d4006d38a8390025f84384f1b7a7b646181f753657774d8c2ed98e3ba281a

SHA512
2ffb1a51f4863f8d67f2a6c13c5ab8be1ce67285d2db38dd70693c9b8e573191bf3243b7d94f76b8880ae804ff92ef2fdcfbdd10bf1956e00e41e1338b710134

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
b011ca66da4a203d6555290987df8171

SHA1
fea88f572bf9865652f2dce0db4b933864c78f68

SHA256
44d1b7011c1dbb8b8fcb8dc0dd67113d854a127f8da66c33d277423b21b07626

SHA512
d25bc30283f9daccc474f96aa59bf633cc8a481e650a0012485f9d7db1f6ffebd6cc3682f44a66967ec78c5c21c38d33b82bb1725d5d178acb28bf7f8d740c49

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
1KB

MD5
cf3b72c440cff7e54038843c1db15066

SHA1
fc8bb97df5a81ca417f3a7a7ae9807514bb7ee38

SHA256
881dafbff88b14ddf767b3ca62ac8ea1efc563b444e0d9b24d88cd0fcc85d659

SHA512
9a915a4325327a9f2d46f0ce3999b7bcb529a4ccc44aec5d8e1f4d6239936f8a1e77459c899478e56ebfce7bd4f18208326762ee834fd41fd2ad3e54bfa4c43e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

Filesize
1KB

MD5
725f33527897aa9505fb81e05d61751a

SHA1
f04b84317e84b6fb9182d2484fb248fb5fdee75c

SHA256
9f526a3e6844d76f30c4a1ab27a30cd478a6fb2cd872e9454a2e5078b995df4e

SHA512
2ea776dd8184ed5be1f6a8761a355fc0d9ad63131c5e57e9c87211974c1ff10cff1bd086daa327f6a2a3152ddb93fe212e666f8a539ce58696419a352d6a1d96

Download Submit
C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
ee93d7a9b378c658dc092117186230fc

SHA1
f0911add992f3584ccb4dee31e29b56f48660cef

SHA256
ba62fc00c2f9e25e366b74f158abb1e8937ccc80f40c2ed3e785009ff17583ab

SHA512
d536c732aba4605f69ae100afdbed7e0340cee968abc25cf8681e602dfeae69a8784cbbe33265013a544dd811353ec93718f258e37b1936a9eb87cd556a8a6d6

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
1KB

MD5
7ebdd061b0ab2fe7c27c720836c6755d

SHA1
be102798f5679c5b975e5f4bbef93af3f5fb4630

SHA256
4c490545a4ca167f553b7719a7b04a1c82f5960e8abb3deb1483a928a885e992

SHA512
654aa002791f480f65397d3e3906b7f6916cb0893b546d492b35dc7dec14b1389145a1acb573f6df7fc613e2faacc2022376ef42daf042b9f0af7f94b1d3c318

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK

Filesize
1KB

MD5
5757644816f0ecba56965f98131e657c

SHA1
97d9cfd496496122c4efb228d1c884ff343b67a3

SHA256
de7e4696ef8635c74f033a9a3b61a1f8498882fc909dd4fe1535c4dc1a440e67

SHA512
8084d930e2ecd57252eb7cf3798448d54959cca4bc1fdf4fe1f294c82a2a235a660c1bf9761e6d494b0cef2e03ba05e18d27ce1d3a57d2e96579ddbd5f50ed41

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK

Filesize
1KB

MD5
59ba8e0361a20a320180c899f495c81e

SHA1
cec5e11f89b3f78b0b9bf89c2cc541d5962450fd

SHA256
d9a5c4e2d4d42a6756856402163bdcaea9ce387c83de9d5a737963c32f79e6ad

SHA512
976db081c334d7fdbe22cf6e29b7a80b30a28dac17a6ad0eb0a0b28a6ba526e0c38da3308758afaf8ec839176a47734145c808fa959588c0e01c61bf648a3276

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config

Filesize
1KB

MD5
b60f884a09fb83a4ef146f04ffc0f753

SHA1
18d8b6fa9b7c3b32b004b0be99900296eff536df

SHA256
df8dd4e46399aebfcbdf27a904fb3e7cbe0383eae05c07f5e94b356c9c95f729

SHA512
cc8ef83f2c7fc813eb238651405653a9219cf1e60e8a7de0a2c7222ab8ac08f39679aa7d9c7d5f2d0b0c31b5cb2536165c0b65b6e49948a83da30bee2d5bc5c7

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

Filesize
246KB

MD5
52e6975cda01af2a5bfdd1c29838ecce

SHA1
fa42538c5b503733668f327cea740ed92e44f418

SHA256
4717bc5db563f91a54807eb67f8329e9e01fcf3b14110f979b1a7837cf872dad

SHA512
dea46abe2361b7c3f493c0b77e9f1e26a6aaec88c80eeff7b88dc14f3443b62e0d43a9cb7b0d0108d23472b7cf9f3af0827a4b15d4eaebc2d3fe5cf4491de1a3

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub

Filesize
1KB

MD5
01bc5ae38503bb551b9d6c6ce07249c8

SHA1
f5c83c437404c36bbab37328a78eb1ff4a7e0c8b

SHA256
46a6abd20f881d23a9fb4a6cee3986c8b9c18b04848d0f7acac62e096585b0d2

SHA512
ac9af47b3c78bad6ef41540e2cb1402919de70bf37689c4bd01a4a8a5ce6436f95cfcdb4f0cb1970274705a238a66ea0daa52c92a163f0949da8ae816bb89bc6

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

Filesize
3.0MB

MD5
0038833f5f4b65395e84c536ceb295ab

SHA1
e520c0670b4fe40ba68c97c02bb7fe477b14e698

SHA256
84f430e7f1317985238f4f9e0f877695edc3ec2a9ff401b41bd2254a1bf82696

SHA512
6b636643611b97c979423e02f2044f7095750041fa6ffd9578813411cdc7de04ce2d85a76f70476de0f86c7092cfbd2f2af96f6fed8641a565e1699865bfdc63

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

Filesize
605KB

MD5
0aaa60852ba4457ebaa92c0645d86ae3

SHA1
753ba274a86c91a44a666df3441fe131a3c8e7e5

SHA256
9319c3e785a207473e00424b4c533e280224cbfd888505719a952edfcfa0d786

SHA512
a18fefdc15c0ba61d127c202a66898679df233925c660d3fea79a156fb4caec63f97e9c359646a2212ac637a9d4f2b89b2df4b0e05b6c4364eca1e15b391d38c

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
15587b9b775f2a91c9ea08762e878c0f

SHA1
74c0808177a7df7be498381c1effd26d5b89f936

SHA256
f8432e37542410552a7b840c3095d8aa76a5985491bbe3b207609a099392f3fe

SHA512
bbe30ca98470334621d6b299bf951c6585e1b66529ab04ad20133b59a771a3eb190f73b5a9ed491b5200ac8fdb39568af7d98c604621d77a19ebd499c5daff0a

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.busavelock96

Filesize
290KB

MD5
d12b1ab6f4869717ac1076575c2729a1

SHA1
67e6254e4df716f6abc0919ffa7b3b3825371aa7

SHA256
8bb8caaaf28adc2ef628c3d907fd2ddc4325292f3a912f8e276e56165d815843

SHA512
73d97ea0471989ea6ab3d7355757f052359fbe970b0691345f0f456ce14e0a810271a4a508bc3b003d5ca59a7572f4c09ac40fbdf211911c868cd1dbe1be51e7

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.busavelock96

Filesize
290KB

MD5
983ec391469e7b71690c7e06879d27bd

SHA1
d395bb499b864688f02dcb2691697e12645f106e

SHA256
4eeeed0ac9dd5aa7648dd3b908af569d785e598a133188e83448b329e0736179

SHA512
467a934d8f55f7f3b7ec9f2b204e783149a60bfb265b7f7b846b4a32851d26e057a01c3a6e10d5bbe1933bba9c5b7865b6e2bd6a99708704ead5dbc9ca1680ef

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.busavelock96

Filesize
624KB

MD5
64b9f2daa37ae95bf8390a595fa78a94

SHA1
e15657d61e5a4c546b4b2ec30572173368037ff6

SHA256
900d17affbb61c52876b3c5865728a906eba1fc34f102a9bffa4af05828969e9

SHA512
d5bef5c758f97b0365c5cc6ac25a54261bbc5e96e46014e867b79c40eebb353995703b2ebbcee86d22f366df0dc7069bcb5a252bc7260e8b52eb8819708bea10

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
ecd3efecb2aaad7160eb0ec17db502a1

SHA1
cfb7f3add66b8c547acbe8cc2ab06f7124925612

SHA256
1fd59af26776de079405e0c3fbb1919578ba40fcdb5c9abc20f82d6dc4ae9df2

SHA512
deeb3b15b0ab29f3b5e87b21b117326d5a95be81bf7f4844374221b81a73c7c08f1bcbe0ce5b7df78d2a10bf81288b31ee5ad4bfde17e7c860d7f42ea8e3a77f

Download Submit
C:\USERS\ADMIN\DESKTOP\BACKUPWAIT.M1V.BUSAVELOCK96

Filesize
231KB

MD5
cf170bd0922a0d584249f2eea5ec8bcb

SHA1
8aa8028a49803d9f88ea98dee9b90cfadbe80bc7

SHA256
16e445e330d9d872d59a675196d845dd5d9de4c4589f48098cd528c58175b9ea

SHA512
4c7faf26a0817ac9a2f6820eef54d720d5ac94f694225a7c29b771fc08f26d2eb119cf5a64ffa4a2230e550f241fe1eeef40c6b33ffd61a4f127a824c363f682

Download Submit
C:\USERS\ADMIN\DESKTOP\COMPLETEMEASURE.7Z.BUSAVELOCK96

Filesize
321KB

MD5
77263e745f846664b987d6268de59771

SHA1
924a226ef41384fa1e255573c0f653eeae9a816a

SHA256
6640fce46f4e17f4ba35e595b3e2e281078add0b392e4c3a7a264759729921a4

SHA512
900d2de09fdb61c420a70cc0d1ecf5d57e8a11f33b12fe0c0f7119de7dcf71cd6227280c89277bcd07ffdcdf5d7bd8a4d7bbcb7ac443ea7f575ead854dfa9648

Download Submit
C:\USERS\ADMIN\DESKTOP\CONFIRMWATCH.ADT.BUSAVELOCK96

Filesize
355KB

MD5
5a64aab4ab5d09231495aa1750bcb8bb

SHA1
0bd96bf1ef606190da364b962115b8f2add38a35

SHA256
0e337d5565103d16c594fd64589c718b5015db3ddc2ee713bdd9ca0dcd0af214

SHA512
0cc3348fe24e08a6c21b14a68592dbcf3297d0165a90b33045ef8dc99c8ba3764deec74c6f3c0af5005dac3fe2ae66a317f5aafaf94c0ec53ffd82663a3d9c85

Download Submit
C:\USERS\ADMIN\DESKTOP\DENYDISMOUNT.MOD.BUSAVELOCK96

Filesize
220KB

MD5
12df2c1c6cfebfcd4aefcc390fd8efdb

SHA1
4526d08f46bb039784ed0c6b07a35268036ed642

SHA256
95ba2a8c455a772c09f5627d2b8210b6d363bd08989031ac0aaf5465664d34b4

SHA512
54afa45fd34347e85d15cf222b205c486a137e565701dfa824fcb367f9f84797493eca4aea98baa1341b60666471d5a7e93e68cb714fbf532de49441d2f25af4

Download Submit
C:\USERS\ADMIN\DESKTOP\EXITSELECT.XPS.BUSAVELOCK96

Filesize
366KB

MD5
3535b3d3a3ee767078d962f8eb534bc8

SHA1
585287e71763839a47b14c5df0ab56a356050712

SHA256
ea2206e822987476faa197efe5a52509eb4fda9ed0af68efe1bd630b70f1538c

SHA512
dde332ff5d2513866320a3640831d35e2dbc151c2d7bbdefd7b716b64d52e7ae4aa4846909181ec0ff133bb38ab68929a0186b5913a3cbc5460ed298383d9bbe

Download Submit
C:\USERS\ADMIN\DESKTOP\EXPANDEDIT.CSS.BUSAVELOCK96

Filesize
310KB

MD5
406d168d54f03b34cec609c733801d5d

SHA1
539ade83f6f4b90a90c06139e172b216df6abebe

SHA256
ef1c57af0b610fcdb490d633cfd10bb256a133444b1084ba6dee4444ceae4b61

SHA512
e8b6a9bd9c33026839eb9035306d967810952b0c59b391567bf888d6668e8340bf15fa426fb751ccd4b59c89290345d8188c99112bf75d8ef5691479309d5837

Download Submit
C:\USERS\ADMIN\DESKTOP\FINDBLOCK.PDF.BUSAVELOCK96

Filesize
243KB

MD5
fd9b8e44d3c8ea4e0fa8ed8a71bf285e

SHA1
a39eb626d4bce8e7a8b3e9f938a32879f1e12cd9

SHA256
3a0b4498e47be9a2cd95c5c1806dc76d7be68a9718a5fe1a5541cad286f6f4b2

SHA512
dcc0cb6f6ea2e0a00458eb5a54868493c51d403be539bd06cdbb02896f24255713d6c0d5dc7a433aa63ab3a3fc6f5f7de89571c25afa12953e38ddfa6d45da48

Download Submit
C:\USERS\ADMIN\DESKTOP\FINDWAIT.POT.BUSAVELOCK96

Filesize
164KB

MD5
617423547ad79f3837f2f0942f9d61b8

SHA1
48524ef6dd99deaaf5bd1e4dd284f08825a9c231

SHA256
2178b7f5808a384fd733dc7f251df388f2803c87d099b94cf52bc1c216336e49

SHA512
5c615f09630c7d7f63497cba15fce1f341630a77407a3f88e5cbdc0d29639bbbfa6b7da87c13d84f36723c28a1523c714fc42f94b89c8698d30cca2d0c5ae32e

Download Submit
C:\USERS\ADMIN\DESKTOP\GRANTSHOW.M4V.BUSAVELOCK96

Filesize
597KB

MD5
5e92f4faa5368cf60d9baac0f8be26ec

SHA1
2c7780a79a26a46080609568718dc60f0963ef6c

SHA256
22280813a4abe50e1a11c0ad1aa5ba783f8c3f5fb150f5e138c16d0332a86e2b

SHA512
11bbdeff3a24eb88c9cde76d9a9cec6432aac6d1db20a2aa1fff3ff71c3a724ea01ebff771200ff4ad704bf11ff6b772b13e9fbce426a31b870cde700858fcc6

Download Submit
C:\USERS\ADMIN\DESKTOP\GRANTSUBMIT.AIF.BUSAVELOCK96

Filesize
288KB

MD5
f89f54d89c3422e759b5c0c99b5a4db3

SHA1
5f917328b764e8d9d2a02ec82bd58622a2fe202d

SHA256
081011625b0f42bb56f36ff407cf5f3b94fcf8bf5f447b489f2223cf34a425a5

SHA512
7cc5bc003547d812b2f4304b84ccbd370a1bcbd94e8054908e664170149c0b900252d3f4f1c97ab5567655caf144f841795a87933ef93325c1704441d7443de0

Download Submit
C:\USERS\ADMIN\DESKTOP\HIDEUNREGISTER.KIX.BUSAVELOCK96

Filesize
422KB

MD5
2229d619fccccfa70111e40f68d1aadd

SHA1
4e424dd8e13217d8895aa50ac2202b7110c1213a

SHA256
867e0186c556bf605201779eb8f35debdcfd6a760697e1d2236a3948d70a3dcf

SHA512
fd92abec23f96a22e6ce01f713516e4d856ae16882aa10714f4a3dd013ee3224424dd59c62b6d789710a9aca679bf19e617af58b7a48f3d7bbe100c7b205db3f

Download Submit
C:\USERS\ADMIN\DESKTOP\HOW_TO_BACK_FILES.HTML

Filesize
4KB

MD5
9c20f529410a7814d8e010dcc4ebeb12

SHA1
a68faae36c4885cea9c8d8a1ce62dacf1fb6430d

SHA256
dcb2874ba03e1abaeec84177a3da8c1a5ad8fd4d73e1ca029590ecd835aadcf9

SHA512
1299e1d78d2d58384f8ce547a0057eb6f4e58fc1520046c0aa94b78f9cca2a9de7b2b099fd7c0d6e710a844544b4d4871356341161ccf00030389f7670d5bafb

Download Submit
C:\USERS\ADMIN\DESKTOP\INVOKEUNPROTECT.DWFX.BUSAVELOCK96

Filesize
389KB

MD5
5f053c0f50d418bfdcd80c0dbaa0cb3a

SHA1
70011135581ffc8355adbd806d76e30018c7aba4

SHA256
52b14e8036b95a22658d9f02a371b5d6aa608e3cb16b43b7c643dc47a26ddb66

SHA512
2e4b770c13f51b749b463cf7bbc65a7917ce886f3c714f4f3b5a8c26fd9cb4da24f711bfe1b835c224a96397b02aad5736b005810a03fdac2399ac415b8ddac0

Download Submit
C:\USERS\ADMIN\DESKTOP\LOCKGET.WMF.BUSAVELOCK96

Filesize
377KB

MD5
5027015b70d8b667aaca1c8a83f67601

SHA1
a69aa7933cecce36a7ee028809458bed910220f3

SHA256
ce6698e59cb62a92577fb5c7214d21874cba833998edbf2ec6349a2f27088af6

SHA512
55a97a9af1ea3386b2935958447c1ae40698429b03ee139f6ad4a3d9d0388ab998517f8537b92a78d956c3fa0d941dc8b2cf2293ffe31741d41e0a532164f1af

Download Submit
C:\USERS\ADMIN\DESKTOP\MEASURECOMPARE.SEARCH-MS.BUSAVELOCK96

Filesize
299KB

MD5
dcf51a8eec0221dc420049609ee70c68

SHA1
ad8ddb6353e73f5af9b338de3ddc34e508233505

SHA256
9982febdc2a49f38f16d4ea09aebac27fdc4105cbeb63d0be26c4adcd88b8fa5

SHA512
944c54acf2d27535f7ed4da84afaa6319ebbc96329689adace8c7ea0373786544cce971d3c47960c5ab6c1b24f5ec785174e9cd9b148c5984cd0153beb46a767

Download Submit
C:\USERS\ADMIN\DESKTOP\MEASURESEND.I64.BUSAVELOCK96

Filesize
254KB

MD5
a0aa547e84a6cc301fed7c7d1fdf0c0c

SHA1
20c1201baa5b30e294f14ed6646b565d5e263eb6

SHA256
f546e3090af1fd6dfed81fc8e9734d4c89c7b3589d2366724587d7c5338e2b91

SHA512
84efffd24debd4fe58e9134513027165c3498058214a28bd2545eab247480b564e2fff7d6d73f77e791e04695b25bc25b71e00f39a0b65e3c4a4a1a8acf3ffb2

Download Submit
C:\USERS\ADMIN\DESKTOP\MERGECLEAR.MP4.BUSAVELOCK96

Filesize
209KB

MD5
4d4eb06dfbf00201fbd10fa0605d939a

SHA1
9bb31c3ad69984841054027de81e91b458cf54d7

SHA256
5fb7018031e3de88e0d15c0e57c005ea3ac8aa628ea0b3c7e720fb8d8ad123b5

SHA512
78128ca1a00a6e609d894714e39496b4656a4f30a9b43edf2f97f7abd5c46e904a6999f471690ab2ab16ac53db4030a71b0f72c270331f319cc16cd3a89c02dc

Download Submit
C:\USERS\ADMIN\DESKTOP\MERGEUNPUBLISH.M2V.BUSAVELOCK96

Filesize
276KB

MD5
203ccecc2ea30483f2eabe88547ea0b8

SHA1
ffff36b52baebad0cae897164ddf17e45c0ef024

SHA256
140a13f8dd4916f29b7263c6e988519c5c49c339d58f2d0d90a74a1c322588df

SHA512
2123de13355e24f40db890ef696435ce09998d0f520ba078aea4762e4d6e323b63ba04a50c0ae7ab62df85e06108760f35942371b9f27e8d97788dc041864e57

Download Submit
C:\USERS\ADMIN\DESKTOP\MOUNTCLEAR.CFG.BUSAVELOCK96

Filesize
344KB

MD5
876e251541a8f4621de9b673c7c4d947

SHA1
e08fd582c1658830b0cae2cac78074fc746f6dd1

SHA256
0eab5edbdc79e705c1fcc1e058b1c2fd4264fbac87eeeeb7c47b853449a15c55

SHA512
774a84bccf1d205714eec47bcd2188df761039b0fc700aa76d6267a680a463be077298778e19f40790c271371bfbff8c2958fa3dc0d2861add3d17b1bd7de28f

Download Submit
C:\USERS\ADMIN\DESKTOP\READDISCONNECT.XPS.BUSAVELOCK96

Filesize
265KB

MD5
d915a125340775de97cb4a84eae3cd41

SHA1
4c5b9e07c00ff3e3f5224cc1bba2dd5cabeb0837

SHA256
a372ba59b171e3f6cd167aa9d39355be29430422e9e12c4bbec3e7f434dab9b0

SHA512
fda56ec47e32a647e5f4b02d5ecce2c1e8e66a1562f1877ef0567d9369cfd7f9f0adce29a75c15b1a508b2b6c8865a00db47ff83da6702f68bb4f1d3ca0b4ced

Download Submit
C:\USERS\ADMIN\DESKTOP\REPAIRRESTORE.MP3.BUSAVELOCK96

Filesize
411KB

MD5
47baf8363cf2e296d2247c28113ba0d6

SHA1
4890e8d5d7089598f4e8126cf4052e61d0274cae

SHA256
956886452c5ca4e428a158a19688c913feb73e26ab247ec002d329a8bbd1409f

SHA512
f66e8bacbcab31c90f43687a537008b2987df9f3b8d964e152d96bbd203ed78a1689c8f8b3f3383c6771befe1fc043da63bb7f81646284eec70906d527ef377b

Download Submit
C:\USERS\ADMIN\DESKTOP\RESUMEBLOCK.RMI.BUSAVELOCK96

Filesize
198KB

MD5
e315522e8bac2456abcd2ac802a58103

SHA1
e4d9bb3505615e533de84f7fe7b1181abedd41f9

SHA256
8c2281af24de540fe094623797a3732b0af64da3a011861ddf1c256ad1a6ea9f

SHA512
3580dd356c23d3c1b579042b718856cf1d8f354fc5656343db5777b83c0de97ce16a39d5338e258c00e5cc3d78d728eb095ab678084b70d8f91efd3b163e1359

Download Submit
C:\USERS\ADMIN\DESKTOP\SENDRESTORE.HTA.BUSAVELOCK96

Filesize
186KB

MD5
2ddb47c787dfd640a5a394d1097ff0d5

SHA1
d78977674b22952ddafc1c78acf93b7276188f7e

SHA256
01f41a37423aebc70d303c46bddf09ab0ecb1d5fa1ed6e96dea80db7e80361cf

SHA512
9150ea9846f87e108d4a607712bf25b74d0a50fca05f1c735480f4cea195ca1459b5f3e255384ae829385eb70c85a672c74a74fffc9e4a44e58d04549aef367d

Download Submit
C:\USERS\ADMIN\DESKTOP\SETUNDO.SEARCH-MS.BUSAVELOCK96

Filesize
333KB

MD5
0b3aefe86009492a788cb327232c3e2f

SHA1
c6a7044446e261bfccaa76686d1dc5ed7a5d2daa

SHA256
b7a1cf519057248135b7bb54b82b0f71e7f49f9d1349a1b05bfc8fc024af61bf

SHA512
58d092c728c51baa70d38f43da1d10e10a487de73f12d3e19d036cee064ba95fdd3979b1f72662c741c98e0bfc1a562860a9c8d9086fa7096769a033b06f4855

Download Submit
C:\USERS\ADMIN\DESKTOP\SWITCHDISABLE.WAX.BUSAVELOCK96

Filesize
175KB

MD5
d38ca06514765ad3ac70370145d81f99

SHA1
751ee63cb0755887e7abd779776e334ece9b0476

SHA256
3fa3d61db25fee18137c52caec9eab309f5fb825bf268c27fce5e5880b1b5d01

SHA512
896ca176192183ab3c449e77551e72080d9cfef2fca51dca01dafe1a70c1fb2876b5072f7e4c1a973d56645debacd8aaec79bf2d5e28cb7835c307c4f146913f

Download Submit
C:\USERS\ADMIN\DESKTOP\TESTCOMPLETE.AU.BUSAVELOCK96

Filesize
434KB

MD5
d0df2488f6f3f3286187bd386f6a8809

SHA1
40fc0747d4b2cdc7aeda3f55f00684cb73643796

SHA256
6b8401c680b24418887feec851241113cc1e9a28410556a431f1fb2b912d9a64

SHA512
7f31c7284f4c0feb24f749c609109f214bd1d1063926315bc468e84eb08d0f5bc5c9fa53624bf9b7a7d91539b993779fb0f1c7b558b9432640607c070094ad5f

Download Submit
C:\USERS\ADMIN\DESKTOP\TESTDISABLE.HTM.BUSAVELOCK96

Filesize
400KB

MD5
65ee62e91eff21f1bca2cf10f91ad767

SHA1
626e7138a45367702184e897a071a69d3bf46b4a

SHA256
90f95425f4be45b4b0d687167c52785e3edaf5ad853189949c54ce0ac2af5748

SHA512
be8f670e0bdb1985dd8d962a2f865d620710b92e0949fd2b422952b5b8c6511299aa74552fa016c596bf98adbf2a9a71356c08ec91acf052320e571f3edcd25c

Download Submit
C:\USERS\ADMIN\DESKTOP\WRITEADD.DOCX.BUSAVELOCK96

Filesize
153KB

MD5
feae8a505741803f15d801b61b4c1d2e

SHA1
52e76ff3a3ed4ec22792af55d900a9bac6039c70

SHA256
ee1ad0204f60a75f1fd99c7a4e83ef0d6d7fe6742ba36112c2550ef6701c453e

SHA512
da2eed9852a195866d5af20d7dee8279ad348e616526cff6df57e915f4c10c6066a79473c027496642178daf74de9a44d02c79f989c8dafe27665bbd40b088eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOCK

Filesize
1KB

MD5
0f9fbcdda5b7ff87c4b02e4bad4bdca5

SHA1
4eab1b4c9288186da18870c09030e37e1567d9ed

SHA256
2a14e1260d2d629b25e62f00edb6736e3773979019688b377e2e56693f493f2c

SHA512
f7a3dc6a3bba45e2b974895a683c7a617a9b75e78e4cecd29f0a565ec17b833a03b7740a7c3b8fee0f2f74d447bf2babbc2c7bd27609f5519b7bbb9244b5b154

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133335756383387647.txt

Filesize
73KB

MD5
d67d5656a71ca8d9194da26954938919

SHA1
4a9e3897b022ac796f82995e53f711fe0b117716

SHA256
89e3bdeffac5bf420d7ef3b78353d7ad50ed451d88c2caacddfc9fbd4d9c9338

SHA512
748f454eb63f5e4b9277575831a8f8ab0ac3b2f1fe05c0fa6c5ccea840fb0455a028067eda4076714a1fedd2ca0044f281a8c4573546eb60e9ada790153e96a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133335756431393985.txt

Filesize
73KB

MD5
34e5b2678035f0c95d7ea097dec10d57

SHA1
5033f0db3b197dfa00fcb243a16694b96a494eed

SHA256
9934c296384269ae4074cb7d6cc324f4fb6911f4ea3563f88c49967fd8044594

SHA512
02f1ad4654e84ed06ac54024407b1c0e9a1deb923fd32483c8d2f73eef91a0cba6401ca332aa95a847f4b2607dea2e89b96d15fdec2a3947aab1a47e5ce32e09

Download Submit
\??\A:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/820-19148-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/2508-19155-0x0000014CFECB0000-0x0000014CFECD0000-memory.dmp

Filesize
128KB

Download
memory/2508-19157-0x0000014CFEC70000-0x0000014CFEC90000-memory.dmp

Filesize
128KB

Download
memory/2508-19161-0x0000014CFF280000-0x0000014CFF2A0000-memory.dmp

Filesize
128KB

Download