8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Loads dropped DLL 18 IoCs

pid	Process
2104	regsvr32.exe
2104	regsvr32.exe
2340	regsvr32.exe
4912	explorer.exe
3028	StartMenuExperienceHost.exe
3028	StartMenuExperienceHost.exe
3548	Process not Found
1844	regsvr32.exe
1844	regsvr32.exe
904	regsvr32.exe
956	explorer.exe
1156	StartMenuExperienceHost.exe
1156	StartMenuExperienceHost.exe
4208	Process not Found
3100	rundll32.exe
3540	explorer.exe
2496	StartMenuExperienceHost.exe
2496	StartMenuExperienceHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ExplorerPatcherCleanup = "cmd /c rmdir /s /q \"C:\\Users\\Admin\\AppData\\Roaming\\ExplorerPatcher\\cleanup\""	ep_setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ExplorerPatcher\ep_setup.exe	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_dwm.exe	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_weather_host.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_weather_host.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_dwm.exe	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_setup.exe	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_setup.exe	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_gui.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\WebView2Loader.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_gui.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\WebView2Loader.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll	ep_setup.exe
File opened for modification	C:\Program Files\ExplorerPatcher\ep_setup.exe	ep_setup.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll	ep_setup.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll	ep_setup.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll	ep_setup.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib_orig.dll	ep_setup.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dll	ep_setup.exe
File created	C:\Windows\dxgi.dll	ep_setup.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll	ep_setup.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib_orig.dll	ep_setup.exe
File created	C:\Windows\dxgi.dll	ep_setup.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dll	ep_setup.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4408	sc.exe
3868	sc.exe
4636	sc.exe
4816	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4344	taskkill.exe
4356	taskkill.exe
4396	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = f401000040010000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2116"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = 2c0000000000000001000000ffffffffffffffffffffffffffffffff280000002000000058030000a1020000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods\ = "28"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "3882"	SearchHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\DllSurrogate	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Interface	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "21185"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1063"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2124"	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1099"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2131"	SearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2410826464-2353372766-2364966905-1000\{E8FDC2DC-9032-4518-A54F-15A3EC67C86E}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1899"	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "25144"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PastIconsStream = 1400000005000000010001000600000014000000494c200606000c00040010001000ffffffff2100ffffffffffffffff424d3600000000000000360000002800000010000000c0000000010020000000000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000c00000000100010000000000000300000000000000000000000000000000000000000000ffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff00000100000008000000060000000400000044000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "5323"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1030"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1063"	SearchHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "932"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2124"	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PastIconsStream = 1400000005000000010001000c00000014000000494c20060c001800080010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000080010000010020000000000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000800100000100010000000000000600000000000000000000000000000000000000000000ffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff00000000000000000000000000000000000000000000000001000000080000000c0000000400000074000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1030"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4912	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4912	explorer.exe
4912	explorer.exe
956	explorer.exe
956	explorer.exe
3540	explorer.exe
3540	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4912	explorer.exe
956	explorer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4912	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	taskkill.exe
Token: 35	4668	ep_setup.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4668	ep_setup.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4668	ep_setup.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
1616	SearchHost.exe
3028	StartMenuExperienceHost.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
236	SearchHost.exe
1156	StartMenuExperienceHost.exe
956	explorer.exe
956	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3712	SearchHost.exe
2496	StartMenuExperienceHost.exe
3540	explorer.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4344	4668	ep_setup.exe	78
PID 4668 wrote to memory of 4344	4668	ep_setup.exe	78
PID 4668 wrote to memory of 4816	4668	ep_setup.exe	81
PID 4668 wrote to memory of 4816	4668	ep_setup.exe	81
PID 4668 wrote to memory of 4408	4668	ep_setup.exe	83
PID 4668 wrote to memory of 4408	4668	ep_setup.exe	83
PID 4668 wrote to memory of 2104	4668	ep_setup.exe	85
PID 4668 wrote to memory of 2104	4668	ep_setup.exe	85
PID 4668 wrote to memory of 2340	4668	ep_setup.exe	86
PID 4668 wrote to memory of 2340	4668	ep_setup.exe	86
PID 4668 wrote to memory of 4912	4668	ep_setup.exe	87
PID 4668 wrote to memory of 4912	4668	ep_setup.exe	87
PID 4912 wrote to memory of 484	4912	explorer.exe	105
PID 4912 wrote to memory of 484	4912	explorer.exe	105
PID 484 wrote to memory of 4356	484	ep_setup.exe	108
PID 484 wrote to memory of 4356	484	ep_setup.exe	108
PID 484 wrote to memory of 3868	484	ep_setup.exe	110
PID 484 wrote to memory of 3868	484	ep_setup.exe	110
PID 484 wrote to memory of 4636	484	ep_setup.exe	112
PID 484 wrote to memory of 4636	484	ep_setup.exe	112
PID 484 wrote to memory of 1844	484	ep_setup.exe	114
PID 484 wrote to memory of 1844	484	ep_setup.exe	114
PID 484 wrote to memory of 904	484	ep_setup.exe	115
PID 484 wrote to memory of 904	484	ep_setup.exe	115
PID 484 wrote to memory of 956	484	ep_setup.exe	116
PID 484 wrote to memory of 956	484	ep_setup.exe	116
PID 956 wrote to memory of 1528	956	explorer.exe	122
PID 956 wrote to memory of 1528	956	explorer.exe	122
PID 956 wrote to memory of 3100	956	explorer.exe	128
PID 956 wrote to memory of 3100	956	explorer.exe	128
PID 3100 wrote to memory of 4396	3100	rundll32.exe	129
PID 3100 wrote to memory of 4396	3100	rundll32.exe	129
PID 3100 wrote to memory of 3540	3100	rundll32.exe	132
PID 3100 wrote to memory of 3540	3100	rundll32.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ep_setup.exe
"C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\system32\taskkill.exe
  "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
  2⤵
  - Launches sc.exe
  PID:4816
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
  2⤵
  - Launches sc.exe
  PID:4408
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2104
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2340
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Users\Admin\Desktop\ep_setup.exe
    "C:\Users\Admin\Desktop\ep_setup.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:4356
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      4⤵
      Launches sc.exe
      PID:3868
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      4⤵
      Launches sc.exe
      PID:4636
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1844
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:904
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Loads dropped DLL
      Enumerates connected drives
      Checks SCSI registry key(s)
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:956
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Roaming\ExplorerPatcher\cleanup"
        5⤵
        
        PID:1528
    - - C:\Windows\System32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\ExplorerPatcher\ep_gui.dll",ZZGUI
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:4396
      - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Enumerates connected drives
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3540

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:236

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:5008

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery