vkeylogger | 8c50b6cbe0c930b7e7725350fbb11cf8f1d7e8d5efb0db383d507155ab9f0a7d

General

Target

4552348445415f5a30a31366a5d5e126.exe
Size

276KB
MD5

4552348445415f5a30a31366a5d5e126
SHA1

c15892a50f4237608feee5b06c0737c3126a8bc4
SHA256

8c50b6cbe0c930b7e7725350fbb11cf8f1d7e8d5efb0db383d507155ab9f0a7d
SHA512

8c96dc9747a32f9242942f0dcd867ec52e8dd6dcfff1818fba53ea9fb7bcfeda437550dc022a583b8e23535c810b1f25b7c387b29bcf7b6d36896a0bb072f318

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4296-135-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/4244-136-0x0000000000340000-0x0000000000388000-memory.dmp	family_vkeylogger
behavioral2/memory/4296-138-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/1036-139-0x0000000001100000-0x000000000110F000-memory.dmp	family_vkeylogger

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4552348445415f5a30a31366a5d5e126.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Karo = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4552348445415f5a30a31366a5d5e126.exe4552348445415f5a30a31366a5d5e126.exe

description	pid	process	target process
PID 4244 set thread context of 4296	4244	4552348445415f5a30a31366a5d5e126.exe	4552348445415f5a30a31366a5d5e126.exe
PID 4296 set thread context of 1036	4296	4552348445415f5a30a31366a5d5e126.exe	explorer.exe

Drops file in Windows directory 28 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT5B30.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT4171.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT5870.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT5D25.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT8ACE.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\F2WKV54ysEMEW9U+EfiUeJcNcgfNL4pMC5NmE0a3mAg=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT323D.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT48A8.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT5349.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT556F.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\a3f602ea4d534d006919a2613d91f9506b383314	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT8A50.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\af66e12c1bb9d8519da21259d0fcd88c247cb4f1	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT32BB.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT4730.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT55ED.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT5801.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT8B5C.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT8D22.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\9+dL4Puh6FM8puPxsBEX86BMeGqpuC0b7gf2fD9DLLo=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\612ad442b8740f4c57b8c84e6bf465ba4699118c	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT42BB.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT529C.tmp	svchost.exe

Modifies data under HKEY_USERS 16 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000073f37f09ade1d85c65f3c30446c58d3e826dd6e09d5a6e03bba78fe68168a735000000000e800000000200002000000007b4a6aa7dfeedd56ddbefe75134f01f511c81bcb82b45581f06dc5e19a0fb74100d00004983ab62963ea5c0ed36edf43282a05ebd341267557b602d6c3d0cf5bcc00f82ef0f844cf02553f2be3a9fe269e16b972e5fc3edf30725e53cae3ce9191b485ef10b7d25798c7500b8b69bec3ba52b319e28945cbf256c73d74808b92c6913d62c8828be0a368924d771f4223af83990f561d1c94f25b3f841bc3d66b8cdcc04857597b52ae36e71d94a950fdf8cd38d74f4e19868be4f3a55e01e3768871b769154480eec2a4ac102f3da6440eaea88d0b762e1b08b9a6f0c17ace9e9fbb8ebd9fcd39fa18739d5d0f3c9475889bd7570347a791e98d4b13643e95d1ffb2faa63de1953b0ab7733558ecc8876fad1fd33691b941a586ecff37a7cd611f22c154c791785d8727e873ba588b71347b9bed667f5800cd38f3c5d2708de2e1294f39f4cc8eda2389b862930fe6d9780eb95148b3f52b68cf674a0ec28cfa38f29b1ed8c4fa6f04815c997d198cfac01567e0e019bf39b6fc5b551bc59e51e4d7bb349eda944af92a5e24c7af2f2622c3b242f4ad01206426aa12d55d332fa2717fac22f396d8e2078a736f3ed1279c9bc4253f3351160e37a3b5cd7b1daaf9441ab67b161814bc92a3dfddc45b4b2ee72ebeef037f090a621ea89de208c53c69ab0027f8f4c617102f306a11474c8a9f1d3e3ab100f7c8f4e24b5689a09220e5425dfdf225bfac51c07e209d32075af4b1e1da870169caafe8ffee95da615dce3854b8abccc8053d54365b2af971f7a0d8edc09d2220837b6bc0d91b16447af472b1a670ac13792e0b2e61972f1db0a25631d0275eb5ef9542834ac5d6bb28490fffe12fa8a5c6e8cbeb9c5931917b6bffa9b87bac6c584cf031b4adc2e3f35d6734875db949d19023963ea5db3b502944de5e96d866cf487fe9f9ad82b11e6f3e470d4accf44bc38daf92b5ab50639a112c3d0359f0feb22a7fae55f46f7cf25ff22b0faafb3a54fcf14334c759a575eaa3d898219cb08ab0f486cc25e743230be5ebe8ea2e25218a5cb199b57c3b4d1beff8deb22eb96ac42091df7136b68277249210208c5c8c16ebd8cff9fa84d7b3469e3d4e097e88f70a4048bfa84ac435f4afbcbcb7f47abab675f6d4679d97b7c13976241be441609d5c2c6c968abc526f10ab3583baf49fcb8f1daf4731cc064d443baf98894decb3950919f49b53023de02a2880a80b8eb63321dad951b5627d90fdcadbe92f8b3c04e8953f5747bb75914a10dbf3aa4cd7ef8209caeb7ff65ee60ddb8faf939132f2ed6571f5a50c3643629e7bd7a8a01ca425d579b0b795ad30d2708c3c7520d15bea7ba8359e211590c9cc8a525477b920b3130092cd6207efe02a775866da2bbdd9fe3e233fbc6603edb553041bc3f56045b1e6078f62d7252c257b068c479e81c4b07ea40002ed94c1aa33025801dc4139465b7eba14f69b46be3f44db8edd4c540aed8f121448f1b32c28fa720b1ae070e8e68113f9464c19eb92711d1a84eaa9fc690d53bd6091a9249881e972f6bb52911742fc276a49bd7958e534539b79a026633833944bce1c0ae4aeb2e10e611dc91a5f2907e07422b362354bb6d37636c77c754723f7fbcc833842d6b16f56493c2ea18db09c44d90774fc4078dedd963b8418e4ac89757e1fff197a0a4744a8117183f5208c05c9a8920cbe7190a6e2582e498c33995d4d120c69fd99df94823e9680409a408462fe135fba4c37e1dd756096609d58f9a4d3498e510b7ddda0215f93035adef433fb395b63fa77b693fb7e1fbb52ec621ee847345a4bf5807284cd2088ef29a089fed91aecb89f52abfc84d185d7b934201b0b8ab705790019cc5edfa88d25d2348c194d1d6546def9595955f0ea63514d3658931b8982f0670ae1537b2cf3ea44ca14e0bb1feaad392913e89634862e009be748310b8939e537ac79af57e5cdd50f795462c56851e1f08d114c84fdd0d0ead0d4588bb0b53cc717984541ca68e5761db0574fedd9c61b4ff2c62a5ad3552bf675f4b30e9d64d85f18b2e13c24f70c9f6bdef390a1996f2a0a201457b1a7fdf31d4603370f627cbf122e78a01a3e81d7d903811819b90caed2677dc6a0c8ba87cf5cc53869d281114d5b1902806628a4d44c7dd7374cfed84c73a1e6a59079a973b27a5c678c336d2bf19843d5c95fd7ab196e62c503a2898fe45ba8ba0954dbdc16db45f5e3e78e44eae57047d289ff50df723150fcc8a82af2b33787e0ddde3f19e4e1de85c6045349e651647acf21a0a95355bf97a287af93a9daa2559bad9af7843e9e24073a42431110c4554897dbaa217184d763c6ddbf34d94bf0abaa1823eae7606296a63f5433a0eae39e7722f2b9537b4d189fb4388dcff8768c139711837a6550c520cf8d9e4836a413a8f77e7b2549953aa0d10edb02bf31c3cf14de156808dc3244d3d28f68fe82cab9c94865777c40be47ad812725e9316a853f0536779d7feb2fef058f0b6ff030b30cc164a985cc5980ca624f36febbe04b4b6d043ed67a59c7cf8e14e66993e345671f69b4976d9083dcdd8b0812320c5db6067b59595991629f85ab3eaf1d36b6cef8fa4dabc6b6cdc3ac67fed8dd0c6385e8495f70f8a66a386835f4d936fbfdc002fadbb94868da04200acc34bdb3da38004ba7fe13ab9e45b76962e4263ead4a0b9b3a03c1f3f7f5883d0da54cf1b0183ea58e3cc812a2d078b74718e241fa73818496ca45781159b9a8703e776aa529b79dd507f28bb5dbd6d0bef2a9c337e5e53717fba428830a57b757e8850d6e8a7d7e4862c42ae5ef1c04e70dfea927d5395ca89ad2f0d7362e04eca4f77fae0ae6a9d44ff28d3413e2b18ad00175071d1a412fa34ab3737bab319dca4d1a7c474ea7b7be185262da7d632c11bf4b83ec40427e5dcce7d5ff9917995ad2e5396fca0773cce26107e141cac710201403f367e8df0bf8545a5de35703809bff2e63fa713a88872c8dad1c014cd3c91e344f14442cd7bd27fac522bc26218bc6fbf8a8bcd6534cf4eebdea5f62d5fcdde7c3948d6d354e838a2a45e32727a87208cda1e91f4b4b577d7ab64c1ee618eaba42bcb0e0558d7268fac6c3020cd86bded7245e19c4659ea3a9fe1683316b56efffbf11bf7c76deb3a0c53a99ba8b2c1769245f44bc410cff476e965574e99ff303217fb0b6e40fe2e334ef8540c3a633b9a3d904d95822effe0e5f1190d974ae2c2cdd52782f1fa99a01aaa0047de8978883fcf8e7c18db0e3521f180ff15db02e84b1d343d03ec764a43dc827ec0ceb5cbdc2c0d905f8b7383a76dd119ccfe9effad2114fd9fe5dfa6dbc262b62e88cdc90e0e57388fba043b3b50fa2e325c26d14ccdfa69dd1c588c4bf6564ad30293eccbee07795dd63e074104873405544f19bbd8bf97bbac9f1549c31348d00175a365ad02815c23a2a1221b906881473d16d32d73e2ef121929e219ffedead5a22a89171bba4991ef26e5204d7cd56967bd72348d3be7e57960edae07b0fdc46b5d8b6a7c5ee86678e8280b218133a3f3df8cb4e12a1a5929446911b752ea2c207ee692646f795501aba928b00aa8d3a494e0f34ddae852e81fe2828e3dfd0a8144c4b2048d093bdaa61cd5370d50f1eb8e3db4185388c52d861c0c8fce65c97ee3bf5a9bb36472f3f684d3bc9b4e0821b7123dae63bcce647b3f61349a0c651d4638af807bfce17e4258d164f7c34de767c8f88caa77b257ceb52348b34d4b24028ee02bf79b0c4e8384290a76f6a78dfbcaadb52d1d5a2d514c236e29e77058df2bc4aaf4784bdc2fbc81d37e59e515e6d2fad614bf32ec8aac60782f601a18998206debe93da7c7930643fdb55f81d29db7e59b8f045e1893a91a20a3cb8b570f3a646bbb73acbd4408959714a02e4dade7f92de237cd125109871dfae4920cfcf4e65e326f386419c691a6a67caffd3abf420775a81fd980be2d6bdf00f6273fbb5f48e9fa8aee238208c290d7c2d480006806a5460dfda6e0088971780a8cace1c344120d0a9f9cea525524d5dfece07e5876dd4a66bd8688234ba642a0e01b0f4798f28458b43cde6a9b94e2d8667d09d35b8289c775b685ee387736b336b494f41064b85ead23cb416b8d1db29c4957fec99c6399204812685d349ba06766bedf5afb8172fdad374ff4c15ce2319e02143bd90ebd1ef478fa67b2c161b50a2a60ef88617d6e1e0df5462ba9ffe19534e971181f8484411465d448824bed0095fac5976c7158f0dbb1af7ac75c018e0ad836f6b9850f1e1a002b574e0637b6de7b499db8338ab647eae45b421ae7aecf298bdc94440cdd816bb4ae806273b897bd6c2efbe4a8a9c0d2b7b41110cf156a44b0140ff1aa40bd963ce1c4c2227d6ccfb53504c71e2be8922ddf4d021b170bca748c12fd09c81819135bb4bd46a3c3eff9cffc1567e929bc682ecb0413be60fe0f7f9acf9b749f54db50abe0b1e052cec7fb3e5782118e14bca0bba4bb9763651a662cd08e653295fb84de8ff8b76e213d57de0145f99dd1133461e1a8644035502a9c6764eef10f0a151fe782454534884e3e060dde7ee6bcb0bdc3107f8e422ba6333f8a6ee10586f1750560100bde709e9234aba05c1a5f47c2ab21393034377586baf7b78beb9b92dd677f406b8bdde108e17ddeccaf45477e3f9d2bb38cd7522e7d31d4f1e5fe9a7ce3b7f1b39fe97b930915fb30ff76aa519846914d974d63d9a738eec37d4c73a35f748d604eb2f1c641525b86e400000009cf84e3d5b8ca3f6c47dfb2854f0e4acc8a0136506f954e8d80ce5f5e04870779863ba53101beeacd5297c9848006bf85150659d75246290161f52cc21d603ac	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B0C40051 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000006501ad034d0178d02ec621830381116c08aae2be81caa12c07059da57b4bb14d000000000e80000000020000200000001637cafb4a8c6a02bd7db652f305d475dcb7aabe5af7cabb77f83c25e945164f8000000047d6aa066e6f5d99c3ef39c97dc2583497cf68a188a50ea662eb225ee5f5f149473c870410ecd4b08af6b613a9256671c7c8e6f8a0b9a7382a198e0d263ed9413beaa94f045a0c841fcdeb9c3cba03deb0c073bb292a323bfc5da3c08b5555f65a310effee0be7e9ddab7ff06fe9b0fdf18e240ac3f5a5d69c3ad04e0dece972400000000d077276ea6077c8e40f855b42e69b2c9b640961fcaa4aa98e07bd5a12163edfcba36ff24dc04cc94dfd4cb6d508cc53943b3e22174f841241b0bb3614a371f7	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B0C40051 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000003029145237bc1c3fec7046e034e3e2ef20ef9cc1e58475ae6b0447f0880f6299000000000e800000000200002000000058124f10039aa43a76d6bfa26adfa7ffc5f29e8cc7d6d4fc038229178ce497c380000000feb216c2efb6399327491153e528b796a9eab84b075c4ea00a4b5f23d1dba2030b6d0a80434863f4648d99b01f0997ca38bddf3d65049cc2a1444fdd349bc4941eb6a65d7694ae3e59b3ae2d7812fdbfb4ed42a96a3d5c341a370a7a7dcf30f18b6e3754869efd2dc8d34c3ae47e29877634c429830b7306c65a62f4fd500fba40000000266e1a756dd67c1846739ca57f62991a1cec81c6d8d2baa0ed056438013c9f19585da31f9cd79bc42d2622ba0381d372d27fbbcda2f6faca577eaa927295f5db	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000004c102d073f86d7c379ffb2980021d15bd6e2bc9f5cb89dee2059a23a393e876a000000000e8000000002000020000000c5038bde41871f1e3d54ba2fd1c7fb133b9f24c9dbe1bee64d41c3697fe03fd8100d00002a69c8b2f8d5f4c3a17171686101aaef908538e2bb3a7c216e168b78bcebe37e576654e9ccb72a4cc7c02049c8435ae998c41086bba6887e065a9d094580518c37d7296cb77f746e1a7029508dca1ab56214707600e1884dc40ceb00c4715c73e017735967831ab145452a8347017ea8058c2f0ab39c5569694fe4abc9268f57534c8213b4acb72f781ab762c73e2c339818c98bbccbdf519e66cc7dc2fc4d71501b8869bfbfcdd2286617f47b7f2215001990400063079201a949bc4c501e448890eb59fd71028cbdb6aec9163dc0175f4231a1bd9acc8b47b168bb8acc520e7eac7285c6e82bec7932740967ec6b0e2e5a23c6fa86c80a363c5e0609fb5866b85e168cfa8d0c20f33238aeafed9f36b7d4ec8dcd7b8f48d1017430fd4b5edf9d60a63ed584918a6d0559aa8ee259053560769e9e6301cecf1eb4064a0ffc9d04e1ce97d6c561775bc98ecb4434795f053b6f80fba153360444a93c93d3491cfbd69b10b3df5774af76c6f2b2f4c0057c2d206471eebbab6e617b867ff403616f26a582b2a1d07338c56650c2c5d631bfe2d395f92d617fa7f032d9f6d105d0347d83d82b9b480cc51ff7a90f28ee7b9104f61855d27fa46079c7e95f26429c5dc336a1b642b5e5c4164026ebad36b00170288c87e6b6904bb82fd7148c844fdb99078a9ae7a58305bf106067ed8d6f167c97bbd1ae08ac0901bb078e46dfa1328330ed0502f32f4fc015454a35274b66a0526546c1220e87af6a6627be628f910168252aaf6f7abc5c81a7d3f627bd4ac44e5babfbd7a793d40036102ab786ec5b1a09cd798b4004395eb39513c3b17ec1e63327633441797ca8227ad104c0863fa0cecc59f4448fe9d51424b68511e401a04fc8f559caddd1a1f7a91a439771d4590c4597440cc74d5dbff7dde014a9d9d8eb7e419eda86b7630c5e3d5ab3151c324eabaa5ed22343c281f8ac3880ddcc3a11e1b0fd7d39347a47a9b7833c79ab0a31f7ace3daef690bb9ada5592d0ae89047806a667857b2a852825949bb0719897081059b28de034629ba1ec037a687113430fd62a1006d3abf34581ce1a67c5affdbe324397d1333d7d4442e59999c3d1cc6ac390731b832a114cd2f710a630939a7e2aade392ca37b01b64129051c86178780afa2eacd29e1dd2d10c8d2836ba6d0ec3aeb60ec04b28a325eb775189041e4588e6527fd21c7277541659e305277655703299df210fac3b0c4b33f961ed5468a051adb427dc5141d1990553f7d6b9e39fcf244e57ecc6d2c53c1bb0219612a1b92ac412897a564c6ef9c6e2c327dc08036a38261600aa4111389efecf16766086190fb9795b0e62ec26965a370758f7d5d27a37dba634ab8e86701df363f9fc92f00982127a3537c44f277b92ad3040463e23179c4ae131ea527afbf2e1d7b5d194842fef33ea83f7d2556e71e66621b1f7d6c272f34234b7c843e3374ad9bcd3486e371a80ee3438f7c3420b68fc8f94e16484a3a69e3e63a32abe2d83a3a0bc24bf5b3d1d085dc66e6de2126340ac7a274c9379d63d5ae6b8aede827a6e6cf0e396106f8b6d3fcd1dfcb62bb4426d451f0d868f5bf640c09542fa4c668460f9fb04c6e9ce40bf66f544492090af2092a7ac6be3caf08a55c3028290155d5606b7e6edf2774bad71db4f9789625844b0ce4d8c6b322c04562aea17ebb8adad0f8cc848e4f407582869660048bdff01aa38af8ea64491b5b005c889396bbb19465a415f9352fa6b67d7f73f96733e99ade9b922db10215c82011cf0b98527dbbd051d09c54ef3f5ba7878f4020ec20a1c9006918d75284c7125fcd9a5d3686794392bf3d411620238dbe59e3998535696ba4615ef621e17b8a03cdf7fff22a88f04db2474cac2d8029031ce18fd5d2f80305e9c8950f6fae8f018082ae54fa89f804316c5180a178d8e84028b540b070d536e1040aa6d6523ea5df7d6a0bb6537364cdf5f8e8cb290517f08f92a8afdfac90219d1aad08c8164a42cc3b2dd2d73c8845831e677e20f9716560c20b8c62a1e52b457aaa42b7688c45ea34e5d1dbb25b09b97c822fd9750856b341c61828308b8d5fc31ed3f9503ea250e6973297520c654dfd6bc86e172d8312a0880bdb501dc0458e79684f7173dacbe865213ac1f350738e1207f2bca035f36cbc8ca6d779097047db61e24ffa0a51db2c800478d40027897b03b78962176745bd180c561237bda9b7c57553c53d850a8969c9eb5f6fffc0f6edb818a7fc0c1deb2d8e309c929b1970ca64c820f585658b993496e510570a573f85a5b64c090f85dcbb9b3b993e5805312e475d9d20309e4d954a3c502e1b7a089238db1c0b1fb344415113e8618c7fe1901e3b18a80b6964aa96984eb4391825b2c998a85d608360e804a3de47f2fe9ca3b6454cbbaa180f6b24e69c2a95d047da1820e7f0f84c4472d5e025437075df3d1e87d34db78601a9dca8ec0d19a32fd80efd7efe1fe6437d4cb7065621fdf767c0ba31069a31059f442ba337593c31bc3573621174e4bc4432294ebe3256e82358e06688c0d31dc0c4e116c36809c6c060d7051496b68b24624d8c10713e7fa1181c1248bbe3ea71d2cf4d249e739d4c9c59db7ae643f31840d802ea89011d8fac6676b29d8cfe45b084ceff45523242cf31b26694366078728842028c51a8def4e2d0ee24a3f132fe63d29b455f701c82b834a4390a8201282c64e15025ce5d3ec3cc57bb4a7a4e7fdfd71790ee82ffe2528e83518c4b3d013df4ce542a4d4579ba10667fbe2200ae72f915b951bfd83662e9322417ed5f78e3989315a61d005d4a59a7f2ab802d34145c3d86285f946f5b3e2f6195b5e17cba26620ba9776bc2dfd3e08824ef5462bb086313561c9e6ebd25831d6c66288d4c4964785561f6d1774a07002eebcdf434d4a7db4ba0e9d69cfe69b8b119c0249cdef4056f4d6def59553691cba698b0613a594170c132684ef9833140f40d6b732b46a6bdb2ca10923a4edf4e73c03a32492ea581600a451a09046f3f40f9405a43b56eb41a450c5b75c02489a39ea4d917a271e943abc84ee94559f6c69de8fd342c10a925ead7876d3dbea07ff2962afb52eb4ffd43b7e812d6564bf541d2e181309668cdad112169cf0f4f71e3e7a74fbac343f268dc40246a3ecc765c5a66ca86896c2abb46473fac56b1753cf67d6cf717d019de9691deb20bcf57f09e537b17ad1b4fa68ed3f0f32c091934c8f0343b00e626c38f918760792c8a4424e565350baf218ad4ad481fd2370494651544889dcb541caf8da305492c7e2a57c55c5396827d99f71781419245379ef7b4c6e26e9038e229c42de4193bcc7662a2bd38c39a210f34191f561c2a959bac9cf7a64c16df23cdafe4ce9edda632d74fd180d822d5519e10c120a0249e247affab7b482af87eccbd3991649d97743832d14b97dae4e022c576314d168c495e6b4c1827214dd21989305fc4bd55491f17bc89d05ed5a0cbaedae3f944d5a7399fcc0e1c7da052c73c9c0a3cdad62451e41895b1a4d8e4ceae33f5ab08fa5cc008405eaff2822da4ae1daeb1fb1d8a553c134c50af82ef9ab9433210f7868c2a5b0fd6362592c2f0bc129dd8ed3e94e7ec3d0d9436b69098c4b27a4b642608ee6fc11ba34f8d1042d4ea75011ed34b29728d551ddc4e922e417ed98a9a1d79e889fc46a568e1b15d4729034e539967a51567d58590edfcbcb54280c229f0dd66d7dacf65311434e3d4375b2f0664b7f565ef112915dec8513eaa7491a2aeafa3cda737b90686edf827a58d5f4f39ddf98d2f3177b4a9dec79a6be1036b3b586e108bd4ead94be9e4787504236931a0ec25edce75fca8e5d6b68b1d8a7ed2830a3ae2b04a88c02ac31adbdb3b1344c3c2c5e699d00ce638dfb8b66694614f68b86b5fc74b6f0bb6b39fa442f8dfe89f6757f5a41508b0d15ecb389af1dce2b9e4ae416a5e894cb2b32219ca26965fc9e8dfa86e8be0f09a3333597c661dd2da33094847ad43fd7ab3e79cab68ea49d7613f08917b53c5e468ae295541f014db2c78762e7a0fbbc6504ae57bb124fd05b0125b4db7c3b7d59a8046065915166697432a2c53cd23292b9c41ab4c5cb2d16f6ba2b7231dd202a82cd240fb3c6f0dda3e5a2f9774ea451f248dde42bedfe48ba021bba8d50bf3bfd28e81dceb6e51cc1fc31c7496bffe18bdf5b9e1946262a4e1510482a43131e46db3fd426022ba4592af162aa97057efb008597c7a4200e14755f5e12891c1f97d2e7f3ef71897c159b0d36c62dfa0bddeded59724492614717318a70a0cc44d7fbaa6a2834ff0cb13f56147542d4183451bdd52cfbc25fb86a67c74c53e64c94151e74eaf1b74f0117b15d5e1bd8ab9cbb9a3041a7e725367a8785f561e325373fb371d01ff03279e34999c5c78b23f93a919c8071aaffddf055840aad8958a2705dc9867e1e4fd37c3e3108dc0134b7f65f9757c04377b1ace8b525fcd8f87be1ba303fc02d2e43d8c2a63263e93d8e0c0257049782d63d6d56411453e554c70d3afae4dee55c8ee421189996cf10f734d9e15c56f545c158285d8bdd189439638a6778b26a8a391b359c41852a8c0fdd68d4fcc1ba3c8dcbc25388f76057063836ca986d21c7438c60ce6edb42693bcbf0251ca56a09839af27e46e6944601bbbe0c54f5a1afa31ad44cb6dec4fd8852e5f422c6a51785c486f6322ea40a35b40000000e0f44f61132c2592e17221c793e8eac47287b6f6fce1a63f3dcb1f9ecbf9501a8118c47d6603d6c0403e1a2fa2e8e313ac571bf0a637ad0d4aab8295bc7f9e5e	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B0C40051 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000005b3f33324172a56f8eab448c23a37f694dfd1abdd648cd2e2ed59cfd9e1d3167000000000e8000000002000020000000361af673d91fbeadd63360d5052063f321b02e316b907b105718ba3cbb81e5b080000000d49f97664aec165f9330c01c6066371b9f62013081996d22f8eb88118d188989e03317948e747726b8ad341b7a91400923024b3a2d1eb7e6aab6cb6e04fab73071f8be0d013a7894e5fec0466711e5a1f2d83ff12031cb8e39631edccb4d509a1110c609c20c0ce396e9327452d5f952514b050bf95142396e232fb0f276015a4000000060b3f680319152c5081c66374c28c4a8097f8ad78941a86eb5bbb01c97f19cb61866d535096b1a00171daca9389ea29ec2901776b21d3e5627c06eb8813a9606	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B0C40051 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000dbd0492e4fec7cd5c30c3fa4527c93a96823540b78081a54857397fc38f47e01000000000e8000000002000020000000963fb3ce2d5eb204dfec71041051e141444091d351c9a91b6e2e392e383cbb8780000000cfb8319d5de948ddf72872ae6a906be3dcfe64f2341ca865ad4ed3bc29a5d2bd9c574db17de58a0ff58b38a7d64c6e7d145bccda1a55eaef87278b1e28bcdc6af26a8510d070d8a549f638e83aac2350756f68670a12a2fd826263cbf564ef8adcff2ad37ae02819e50530ba34cd45895873457a8cbc9b469eb85aca41be5bc0400000009400b86b4773d336aa2cfe43a3afe5ec721ec858e03a4191927cd493ffd0d8770bdbb9004c6e38a8726e2915f43199a28f11d984bd6a7921cf1bed9146cc30c5	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B0C40051 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000002e78f7f402bf66bb4834f4b3cd3c261e8e36ba82e7b038f164f20f0706c8c19e000000000e8000000002000020000000ff99d791b159f98dccd282d6d9fae4679cbd0b9e25d9fc01eb21bef979e5ff2980000000bfda63e2c1bdd5c5278a8c7f14b37eeb12987987073fdfa159b1a1616c1b2970c69158c73e8e35099470327678396e70dc811574c3042a75ef2958ed604ecf0ac51e325ddcb7115045eb61a71e98694f58aa06ef672b3da105fc7a0888d331eb095d10b5e26c814a2836a8ab3f08a8736b996dc8fde1dd2e5f4a497cbf5e070f40000000d9c2efa4ef08d11cdcdbd8cb0775131ff5feb0e572579ef1245040f7db999046525fe2bb860200b743b6d1494d9033204d613f0bfe44918fe5d5c917705f5103	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B0C40051 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000007b1cf31f16967bf86550b3f09b542ddbb1945f9c9f542b51a1d8b72a3839f2c6000000000e8000000002000020000000f9848cabc6b96a63ab59e9e7d396ad7ae5f473f2a86323b49b42538f8819cfb2800000008aaf5733fecf78c57105dad3dad0d857f6c8660102be8e9945c2dfb2c27a78604834bf24fc4919560e1fba74b0b20a214caf380a7ff8f08b47afe3f9bf5bc788da03424db51a3ba41fa159fcc4625e4dd6573f890058a7d08ffdf7ddef07c2f547fbbcca4797a771839423b99e30c4c442469706986dd97712b385843f5baaea40000000631b8d3ce94ab394c9dfdf8d48dd4c6d66f37cfabc5c5b234d056be539a7f7b70c4dc573bb8a7e70c59662cf76b6056757b287e79083154f39832d5186308c87	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000001f55639c6ffc527806ce12de86f47802bd22c3d18ba333bb964dbdb98f75dbda000000000e8000000002000020000000ede996cec3ab1652bb0c12b4ee78b58e35fbba23155896883eb562f4a853f187100d00005fdfda2814ae592f26685bc4ef53de828c68f3c38cad06b650b2b1392681e2580d8b6d00dae43ea5c19e472ce3fa2de0dbcf6d6b13af410fafaa301f3647ee3896e5fcc92e446209b801b99b1aa942dbb80650da34abd66a58c514e289fdb010c25f19feb4a2985cb7990fa5bfe974e2854bcf1ac8b25611d4382efedf2f5515dab1924ba69f65bd8f8a927ed7485355721d314586323857ff5d5c1d4b8b9a332c8696919ba0ae4a55a68f4828cecec8257e001cb0ab0b2596f220e1a8ce5d3e558e86903af088bfb34c75495f95ac0f45d25fbd85b273b532e9029b3c6ebb38b74f347eaf7ede3e59032ebeb3069791e9b2702bc5df97cbc3c09ecab8b4de24cbbc28a5bcea6d0fedfa61b6c6021db03ca10186535cf5e124fe451b09b45e672935c34d0957dea39fcdddc03ea215dbc7d2d654c568ed1fe5ff2950dfa90b107fc3cb50e4118728c99c981c94914f5026c491e642780239ad9c856f9c15ef00887efd853b2911735be8be9087de45db59f4aff582db06141683ba3811161faf19b0011c76836402c23d864967f973a569c5bd0bf9fb994853f42603d2511b1a83ef94d62fd008076c7bd9b93a372d3d86b7d28c546c033b33146cfe376e623dbd3520d0909be3759dbb9b4e2d8a43b5ebcecb0cf64e15d791ebc8a591ed262a69dc6f8584449eab687dc9848578e98096dba6f3440c0ef5cc377aa37deb44e07a604d89f4c2ef067136fabb0af129366cbf5255b545c77d3422703228a0f10830a4fb5e95b8abea16c6061526a24ece8ed4aba68a3733a5b6ecc22949e895945c3d6ae7b85eb7438d1586132fb12594f63ebbfa1f94e158fbed66b823908a3c927d1972e3dbed96a829bf3817caabd74323c586af55e529627f3ae3dcc6218aef4f388cc84a5192cce3a6dffdf347efba15fc5573514254a9b75d8528bda4cb7de37c03314c93ee534b91cb5221ce33a1bb8ec2974749e0e1e5f6f010aa210abd8543dc2e53f30cf863395cbf7157fdca6dfca69c7f3a5aa67abd83a4e2fadbdffebf2ad691592a5d41bd13da417b03055db1c94668d3a6940b9b57e476c18c70b290ecaf19372113a15ea75c6d3337bc113f95e4f9fd872174d92f1c6f713ecc66c5ae8c7b9f35367cce2356ae1f4b92aa3369a2d11aade090f2702260053978ce6c5d04a87067007c442726e017615e012ad30c271ae5238a2379f1a067daa64e32493e78a429c572e7622351b64e424c443f123cca4c83e3c2d061c741732f92740a1582d45192ca8f27599b65ab52e6834636aa5376e9e80490125ad9bdf68dfb193e1bc9b6697d1c67ec2dd092eb0a6f729e8c3736d51b97d5942de4728164c44e5fe210288e5c27e5a10f9bc7d5499a6610253923055f7cb7f506b87d913fea2bc3d1873292e8e3349d3edc1c713b0ef9526363c8456e8b489d71fa2d18567746039802f7e51a6c62b44628f00bededb98eb99e6da60d9f28d8f26b1c7e1e82e5631d06396f16957aa159c183d51750e3d658925d93175eca2a36b1c8933ff29d9270f23c4f4d562c9c56dd3137556788f97c0fb9f0ed5855d87971089824b3c7770ef71ce6ff86f408eefd1d8264492a36660a4190a3ab6de8daca05c8e7453516ca076f88d094a751a03faeb555314efaf8dbc9596592c8772a68fb66d0b87bb3158ced9554229491097be0e36d7ca7a07e37443fc98a498c29028ab02f81c9d1f9b59c8bdfd7ab7880c2684a8aae2130f8805ed5ddc435761e1425e2a4b9e8398084461208e7448fee567542be04b0b7bb9ac740c15530529492a384727f94dffe9ba9b810afeba94e0455e4f0ecb6bea19cfd51129d81762f7c7090301d2dd93a7906a188ff457ea23d7cbcb993060f09d6a78a7d44596025a951b9f170f8b345fdf662ac9d341a2d08ca8868214e5246eafd707f5af2a7ee5c09db5039ad4b28ebd19235b5ca6d5c2f290bae35496d820bfc87236c9940f74412cad794b72a4948c60dfcb7dd166111f0d2b928bf592dc4198179b991a910830b81e401784212c60f251143f95a8da7a193577cdba2ff561b952e71c3144540e50b0a9c7bc5e59a61018711abd3f00aec7918a47fbaa7916e2ba92a60c90881c7fd8382c02076f5fece5a6ad3eee3ca884ef1946fdd167c8b30257d48014eaa380a340d535b69f160d8ead202ea5fd1095bd256954b8c7ac2fb5f218e9b1291f0745017148bd25263becf7479a6b9a7eb539c00728c3190dcc1e6a82ff228c836757f921bd36efd889791cbb2ead76968e8bf2419225b983c9ccf9e1d61fc7d4638419c6237b267f3e8cac3bbd79df5056b390fbac03c5a64ae849514dac69abd666c6ce9a5542cb691c1a402ae2ac6272ff17be89c196d5fb6a40f0f7453571a851fa26a8e3dda4e2f968c4ca3f7850700f43ed4048222049c14a8c011f9ec6114726831ed19f1e5131bfb4a9a49111a8d46b9debcaea96bc274614bfd5ea072cdf8c66285477578bcb888f569aa5fabb3f9e12c5c902d57e5bf28c2832d35690e913ebccf6ff1bb40fece3d029300b15311e3dbb4005a011184bf83a472a78c0acae271ccad52da75d12c0510bdf5870a123b9cc0a5054f47edd01cd0c9e3e24373640aa06982d092e3a2160e8e25a8bc434958f2ea14e4ca744eff7eb79ddf572d19c03f63b6eef9c5efe1f6f748fe9261661664fabce940aba24e70d8f850299e0bf7ce1ea65f559d69c07d19c4b0ed83b02d2d6dbdeb400c5f710386b320f09e877bbc53c40df893fa3d5697434b204e27c5c89052f0d2b6afd838c4748ae50c2854ff2f58bf6f18674357c40dc4bf49358ab7c1d1369262dc12edd3817f9f2fce90c4b3e16964914808e98ef35af47a2773bf458fd9f927498a5bc2f5a9b470f84f8858b8c5a5bddf4de0f99556f61b3167250ca1292207a3bcf6b4944293295236af961b27b4cbef48ffa490e93b271ff3aa5b530b5b62bb0cd99ccc5039968ae54c0bd60e5bdc31edaa156ec062cd497a29729e81821165ab08d804cac289f68f2268e7cc099a8a7ffb2e428e88112c98018f6a187ada55fa680b192273a3f2ea7baded48dc5804f036305190893f81756e97057391be6b2d9f140218667e99a761d30b9c4f62fe5904238fc95e2d47eb7b1e948af8ce9032403d21b899e5146986a768b9871a74c010332016563ca4c10a32652412dce34d1b1f0d8ee98f3cba6a8310146888407834c83f3cf0f4a1e0d130c8aff847aeb102e2846768a7fbf5f054eeb5353c84defe1c9f7fb359b3b726a5bc8f9b75d0f4688513084739b55f81e158902aa58fa05122f7005e172870670d994382165f491f812d18f352715e4ed82c6449931b6af3017fc138610971db5306d90ad8334c09c2ca543a9e90f9d8967d658fae8001ace3d0afdab6bccb17e553579084764132e363fcbe6064b5e0164191c2a7118b635625f42b0b5053e7f6254d981c40c9221c09a12e28f72d8909c21c1673352abd7b5ed396da84387499c742d501257680dd64a2edc5d08e87ef1227af3adc470b59fc614b5fe52973aa265183b39430614b851f24a9a582e64b23910dad2aceef3b4b6cdc72c250d6c9e177f9e630433ef1eff2a68230c21ef966ed52cf63b1a67a7846b8a2fc6e2567aac464b5f5339f4b9da8d872bc69f210401c578753b0bac9b25e7b7e4085df2b5b841daa2688577608dc28f37858c49bf26c07f46e4c99fee459d98366f8057ea373dfff57755bd05006035d6049838a926ff7b4aa6ce0e475f109389a1f1857e9c2077620394bfd8ed660d768f1ed8ee1bdbef8edacdf4d66aead41397b6f48dfd01460b47dbcf926f2c5185993918d7f80357502c89ee342139e3ba2a14127569c90f6b4d820c4b52ca5ccc62960ea7f02c29b5b7d04022c5c1e31220c4224e0644739767e31087b1c3eddd7343c94fa3ec81217b93050a0340052515ba020b2bb8b2eec9ee8b00b832e248dd509e4131362f99588dad222c2c3cdf049ea6f41eb4f7e8bbe3b839ad70d370164adba526e1f8b64bb6682f3733f7ce54365dcac3b079abcd5a5fe3baa500457dc44dd4776c2c380263e939f7ebb027d075512d02be2e6ea9dec1e87b61467e01e60607f14c9a6b6f830da71ead0b3533e24f7e3dce9fec4cc85c20388008dbfc1c0b000914668d9374d0bad7129e03439e389b2a312e61ed93ce3c03eb2bee41e8b226eabc52305a2663d46e25cf5363e3b52b87f92da08d6062af77194eb6a100c509881ff0bbe3638cc0886f2147002ceb0ef7e7b41ddb839fe5113f1b935ec16732d4c93f9ed618e6cc785d989a20d6b96333b7f117f5333f62c9f07e5f3e648e64490fad750d7ec1422c9ecff7773bb6d6a2cebef73fceeb50fed852f80f5196125cbfde853c95154e9dccfc60efa73439ffe630762e87b3733abecfc67e6b4c45418420397ae932df2d378b663055924b163d863bdb68e5936ab3651426ca2a62e62a74847022084db3f57ff9a2e88246214fc57f49c0905398fd2cabb7fe68f458e9b30ad92c3b1621522b8f2a7be040dabbde1e09e1e4e127e6d0e7c3c2f8bc432fbbdd05ced8dd9ae495c3ba5176896a31804691ad030022b223141ed2732cf82f5904b12625ebb2284d89d0e3ab06a225c1939b90252cb4c76521edf873adf839aa4377bd76d6f604e603047625904bde1780b2c1746992003b5e171eb7209f3330808bda862328d40000000819e45b1c8d96b11d7b308e45919bfcb0dd4a8bd091a72857b9624fd1b13ced3baa84dabc4aef25b68bea67b6c3beee77a001333fca77ea7780e3335729ededa	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000c9eb90660b4853ebbcfa6c0ece88ee4330875ce982f3b59b83de59d441445c4b000000000e8000000002000020000000db4b358589ded129598f5afe7cd52946d954b446fe29b97c9b7c20db0a112899100d0000de4368b86e99a4d67c2d91ae7dcd164d394c4e008abfbedfb216ba66c5fd326e50bf9672b1f8f19aa7e5d056afdf8e1735ec9c8354b307ee6600e577e4bab639ac5f9e75caea15febf553075a670327d9a8d923076559ec3a7fb928aaa27c2df490f63c1557a14f72cda038a7744ece3c9463f3dc3fe5df452f9807f18de03ab564937f6da0911af2b90a7b6ac1307b85f5e6f8ad526b644f8cab689415f5181de62b448613c194db448a4d12ca8bc535bcd5cdf866609c7b60f59e49f3fcf67f00e6d1be3f21948621fe99ee861daf52b21547e25ce778142b81a4b5fc530cd97678b65c74abe342772ac47703079bce36825cda70691bc0318d962dd466a1307c50eea99d91f3b24d9500f4585fff566c1ae00d00e1efdfc257d7bb94a5ae325a3ef77697191f953c905f16e43633914a4bb6cb80708fe6f2f00cb7864f94f752656449fb7e04dcfe642302d3465490fe6c3fb08bd22f7971c2509713c1c1344144a1cfd2d042baf53c27c87a4a6054f3f2db35d5996cc6ca00444a1124760843aeeb922d40733c970701c0b3482bdb598bf752f77926522883e061055da1646323bcbd418d66b48a08f2e6661aaaa282e9a33e4a975171b89426620e68a4cced13688ee1e78330fcb9b6187a91e1778a6cbaca8f2ee9452390fe5b571ab99749eb26045f6bc02bab1034894843e072a2714734a90177dac06f8a77ff27be488fe501e40425501e135b3063042cbf62994ce6101e94019b43620aad7329812d1671c37aca16e1ce9e36c98481a5241fca11d1931608c188ab50ae8d76e3297b80467a5cab9f9dd6da46c87aa4fd7e964488a4e717b623f9caff61c370ea9917f9afdcd2bce3e812fc040a1107c5b629cc7e712141f9fd26431ca704ceae8d602171fd9fdc24478cc459c101b97d5ad011058e5ba4efc09d58c639e52c9b0b48e47fec395304a0ef99b4d888c6a5d7346c817f614d700d8b2dc02dfc1a8aeb4c53201139b36ca9de45747edb48dc63d8764365cffcb2a7b67e8f5e1755d860a7e2ca121d640a003f6abe00d3982188de4b1c7ca32fc7b6fee4a1b0fac0b309ebc61dff59755518ab31ed8de98c5010b53d74dc5ff166ba2bdeffa1212f2bc04ccc7114ad53772b030dcbfb0cdb3a977104840daa6a9767585fa2e0e40932d17ee1bbd58fda929ab074687a52a6e0240d3ffac0b7cbc41a28e08c305fc361ec17e3c35258a6550a76d7d420bfc065eae4587e73ab801974d3f11b52866151096d0a2912956a1f179bba3b36eac65cb445ffce88e28f90b99ce6d9662a4239f8cb49542df1481184a9a2ff3339435c39427074ebbf5a9aeb3e45d6056d3b5da3f59587a584fd4a522c7ca03e13e68e3a25139cea2c28c70f9108331db5206b8fdcb6a2018e7e18dfe8717f5e4e9b5c6a495b8412eea3984039b8448dfa01023dbf0a15059a65115162d283bea90ff5b1861ef12e49a29351570a6a15cc4241a5e83ddb3ab8204fa31f7c892b3223ad9e06c3933d44303b3579bf92631907df688be051cfabc7eb95d6c08cf0196213155d25ec59a52a1a119afeae6579ab31b4a1fe72f745b087ddeccfe4c57cb432f70d4cb87e860355683e225f1c0080703baaba3dca919587e3481eb719fbdf9df8dc0dcb92ac255fa6434f43d93c14959efcd392a638d78320d787329db733a94894bb5c39f371e0585bb9a520201df8263e43a84af1c7075409f0414fd043becfcec487acd25fac60c5f687b24660fe2e0d0b96b53dca759fd1157b20f06479b714fbe2ea8e66b6724ef0f72efe9a4ef83e215a5afb1d66a92ed6d578a44d0f8f20f3d3b73e29f1b229d29c11fe06622cc387dde42ae9c04137a36011192393aadf2125d7e50a012f3e687ab32128d36a069beb63327e5a314e070690612cb02bdcefe9e035e28da421169e93e1565ca3030f4705f617c07a8c7a39a9fed2998e5a9a5881b3c6d1aece9b578639938a95bb2a342685629d55af7b985d971bdc98234b1f9aebd4ad14fac572d8a637a46690a31515a87e1644e7d09ced8bcd413c520323575ae728cebafcd21b28066837fe05a412f886121c7f36fba1088f0a4594a17f48fec8763c1505dd8f0581959924b25a6d055931c660c78f895232039558bfc6ba2b8831f5d801b1eb754fbd013a610e3e4d03f563fbb4bd12287d85cab1e609772e2dea6eacc34a5dfc2b0f7fe3208a0b1cfc69c0bbd95dc499467b18fe0c63419f70730ac6bad5f239b49bdf07dee0e3bc6d75723d74a4b199ae88a65776b3ae839e39363e760cc210f39e3cf9a035331ba882642015108f4877f7a2b7cd90ab598d541aec1dae2661c38cab980816c5983a58217d68d253cc61f74227651cf6f9a036440d033d386dd58e0e78a6032f92eb3679c77a35a16f0642b9c978ac048521e5906c9c0855ee2dacaadbb305a227333e19a285e9908076e209fa1e4485e746b97cd0046ca5155b6b7bcb57d00a741acbdf0bd97837bd595f7e92403c9b72697cdbe98f13f45fd7407f9f26964a55f2469251e00b4abde9107f5a19f72ee509e4df84767fc5a23f0dffe73bc0853c6a48d5c830f927c15b412ea5fe24c615134ec519c9f050eb288d4adfbe85ace5cf0c43fb4046832928f30f39536e153bd0184caf68692f5dbaf0b35c1c26c725f4e19f0f02f9bf144c1220ab29ce68c0e5a909f5ef298fccfa811df80cecc46eb700832bc1d220e6842f4101d4ecac2091ed271518dacf57c1aaa90d162c7709944180157b835ef8d7eaf988e1ebc5c9331255a0952aaeb289457b0ccf6a4f0ec25f992f83ff8e92eec24e2ce470566e00368a21f12e7c0362b3dc8347e100789ccad4dfc4c39001da201a70f78e7c7ecfb20a563af5d610bff2298d27b594ba721bda859c0f180ab0a5365f33cb742bbd98675127f5637635c8093b1e1471e437101dddfb936377920b462d149759163370904bcf2b066d23d13a7b660a4c6a1fc4bc3b439356ae78acb0d534d884332d4f71e81ab4bcb4d4ad59bc7e9bc6a47936ea78c55771b7bbb6109f338b8edf5cd15e496a2ecce703240234c5138a116c7c699204161903eed73d7eb64e15f8d0dd24fc668926188ea788e089ef138298711280918afd27ef165958fab5009a68e0827a88e7edff7744b4b3970c4ac26eb84e702209c0ee5a53e23861cfe08ca39c19b3b9b2274d0678d3c6b608a20b0c746b830d175d77b221ab1b3bbe57fbb47b67ef9f184d624e4b17358906747907778b6b1d3459e3aecabc8ea1afc248e84e88a10b41e2e085b717407543fcee1ea9f285130293e77fc879d72376ee93b73df2f4a19e23f0ad5035732fecd18c653a0b0cd6423337ef889bdb6e601dca3d51dff8892e0aed574b4df8e65dec5e660ddd0995fed5320d8bdfa499eb1f933333db97c2c83ee10b9be572192920961fc8dc299cc24e4bf3637cb33db5b30e960ebcb5a9947bdf690dc99d65966a100d75f1aa050fb76fadfba2696846cbbee6e7184f69e4ddc26e358b558a9e79ec0082022b3b35daa17d0fe17e074819fd913c93466684e5eafb2bf9445fbe55b7a5be2b6c7ff4d5e3e811353de2a5bacd78a68dfeaaaf951149f29c1cd6f040c4fd33a732cd71849d57e3c457eacbc4640a84474003eea50919261bf87a0791a3458a18feab7776f3a4565e606c34bc24fd40e666c22699e75f6e64bb2dac4d97d1c37108893b2ca07a7758c9e95c6dd9728982548984ce4d51f8bd33ce34bdd4c7916962dec27f9baba462d702321d1714cd233c258074fe14cadaeea8c2fc584ffcef7f11aa8a34e9c6ecb2bf0cf87adb87b80a213732c4ce98483c1270cc2080d97b8b99916b50b586a3e7376694e69ba33f76d82a10a97b635ce917041222e05b78c21401a276ef8e91854eb5c6d0c35cfdc59515fc3bb20dd5d82d4a2db658db3d7bce25c939ef120be85a7b2502253a9d3d2464eb7c4644a8a8a1e708b4a011044a5d1f73a04e35db0cb2479d814b9fe4ab8aa802da0813fbcdd1486ff590b368b61fd413dc9a041b17a43f8ff7d0a94831b04a890b4ee3cc371301e1eaf7b944305c9fa984e868cd2606d2cc38fa235c5056fdebe1ee1d1241b25a29aa1932f26c3e7692dd65b69825aa32fcfe8cf576a8ca836a250097df53c6819896dfe36dffac7ba12b0934ac35835a185a264d4a8c906d28813a9c9a4c40fe93fbe97607a8d92490f69c32c9cf1a26224bc4ca851737b3de02aa7cc2c67ead0f0c1b5e436feb8f90ad9f958bb3a0450e427780a315d3fd9fee71661b42cc459b4feca02480ac09ff3079005d65bb869a376900e6ea012b0f1cbf61673ab4d24fe796e9c6f1da2ea079277fa31a6aace2cd0f77a42399b21a4e6e287dd1b1c696af431920315d7dd34fd1bab3fe41808e26c9b9755c05f02de5d42936ef3eabdfe4f3be9a3d43c4180c531af29a8e9b1e7ecf93832bd48aecd1b147d4e668f71576259df8f05b8c82d221d8c7eb276eb42b6b29dbea434133f492caa020a793d458281c217a8c8c8816335ed65bc0098653ba6f6ad6a57339a5dbce2233c5cf6da7aa7ff1b218db1c362c4c7700377c469b2ddedcf61b937a085fbe7750712d0032042fbf0db47d5e3d683a552cd0752116a37ad1844031de118caaf67b0bac2cec3e6876d4238bbf9e592944b540accc5860ca4396e800db6de18a76edd2fa6ebd3495e9ccd7cda395074d0bb40000000b61df628dca98ee7a0c5acc17772b0c342829492ebb76153aac555f5e09c8135b8b6eadd40e7f79677bbda655aea7d4b03dbcb05c67fb9402290ac8031b9c3b3	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000009afb0442d103bfd016b113ab804ef471c405eb3445c83765c41db4b24d0368b3000000000e80000000020000200000001eab5ace9fefaed39f7a0f0ebb93a993b1ef46ad19e5eb817884b26597dca8e2100d00000e91a3b18941c797eb973ec5058b1141d5b82b9f1cc0c3cf5ed0623ec038877b05099c96324646d53e24f84ca476fe864ff7d0421d0f8ba08298aa166664837f466800c8d4c57d0c23fd1d307420d5c26db64dfef65985d92762eb659de5b91df918b8c3253e381e720bc4384010497ba4ac0659b895fcfa37ee16edf3dcf701c8a193362ed50be4955b6ebe9803ab035cc57cf59089b483f118ff5a9909e6af7ce3ad669c013eca4d62691c17b9eba5c3e325fe39175da7f0d6a1a3b5c979f59f8ed00b2ec9d74d2f5c252d4568f8b8d4142e27d1251cfeec5fea8f178dda823a0c8df3dfd528949e20975858fd0aa7ade50940524be2716a057e0f952ba04b8ea11436390e0c81fa2cd41e1c0df4d7f25ce8c2abdcd4687c92239c8e2daafe3e198145e2d7998439ab424ae34936a9c11cf05b20cf87a4926869e6d49911da601e9c4ac06717cabc16964f455d4f937785202f2109885b6d9d5ea9cf96fd8c49494b70aafb696dd504d304693eb60be2064f4a32faf791144a13f6ac8032be8ce825e9a23a153f30b48e4491fa91733f05137d81c8151a79f6336bf51b17448dd9b2933b77e7ca206bdf2751ecb80ee28f3dee4d2a789f2855fd85b3abd671029b60b76d2e83dfe08fb4e06000e0688afb0498a16ab9d281eae26c05ac1f2f341ffbeb306c9dad94ab045b88c4fb5558fae31e5868cba2733907e760318ec4db98c8f7e33a8c10b8a0c5731f33243902aceeba0b1a59453afadd03c82a2308416ac411bf1b31938e590153d0fcd0e247f3dc75a32b07b8edcf502f68ffb18768021d0fb69f9c0bc3d77a6afa2dc6fe92675f890ab4d56fc7bcea140e9d204cd705799b9e4eabeececba1894e84705d39a1ad4b7e5bf6c30d979bb02766a5a0024b8ba8f68d665006b3be76febd258f5b5cc930ffd9f6caac0a2127a9db97c1ebea5225227fc0338f664f4893671fc5af3aef783fa192de5665c0780ccca285cc2da52757df40246bea920f1e8c328164895de792d9e5e13300da1829d78070d2b2ea93d781ef7bc54d1805d21519dad4be4b3e3a7e47f89a05d1ec1020f218a0b59faffcc58214425e01f25d015fb4c21eccff982abca1986253cb9170acf44c9c2dccda825848fa8a5d2bff03a7912a984c11b9242a7b665677d1be63818b272b854875110510acc6640db92c47dd21fb2b816b85074dc6bdd28643a85834b2b1b145bbb72e69ff6404ef75f487b4e7a450b9c496d9f51c650093b9f47b75a17ef3ddf79e661fcfbbbcf56ec8fd87adbdba90b601dc251e8a296c17df28089c198806b5f62405ea0c689201c30ffa7492627994894dc7ae251ca5202c0c901c6fbc7714eea315b403efa4f34b9b189c695ba30df96e4f54452fcf5d56ae8a1de5c0fd816efa89a5a681172a829289762db1204ada3f221028f6691bde13f71d520b00321963f45237c72a7b76288e773a4df38bdb9ae2ab871f2f06665cb76b2333533bafb8f21fcf5abc67ef3ee6ac1bb17265dc523c35939fe6761eaa9f4d413a305f33ece08d472fddf0ed20ab81b4dcd04f1a63d8779e6cf5e1af005d680661fd0f6e1c80483c554509e6df7913fa0fc753c72c7a2f364bfea0b5deff5be48bff558a7e812a77a6782352314199aaa0994b6d47f97bce46bb1c2aef8c73cada026825aee496f4a8980ee5473ea90fcd3bd99323ec6d640ff3eecc3afa2ac2cdf47321c8f4d74b62f658470e218e6921b841f496548c30a5feb735c95a12d1b561acabe9e806f1156fcb122c8e5b2f7bdc70d64e0d8ad80e6d69b8e0134ff38c5833948c6c287523882ca44dcfeb9de4fb99b7774bcd2931f0d5dcb570aa9494ba9b61eb9eee7a6fdd1f634a121c08c29aea39ac9f31f2a0ab0aab1ce0890aeeaa751e1724d6e963db71ed0b549add34d537b432d98519b8a6d7d55130846261fecd4d55bc41d26874b051d1f16265cfbef2179cd5a58e4f0ea9ad871fa1902b501fcf3d528c4606dd22729a77e90d1f5f642321f77d7ce549c0dfd66ca3afcfe2514ae501c915dd912c5e1ab87c405b2b7da0a24f90acbfa831b5ff26c2c5aac24016541dc0ed5f20c8fa01a8c8cd0af4969d148a14f90e2d334995f505357ed1f26ede51f1da7ba32743c3180ef5ec4284987c522b626b1e53018724c163e769803eefbfd366ec7fe6b7891fb7b0adce96929de79d6e1508bc2888d4321e22077c52e01cca36e9c07fe1e5bcfa6f682d915a154b32823cc69ad1aab8a4bd8a928f1f806fc4a5fc37359e404b1ddcfa3d64f3653d2997b812f57760ba71c7c0b688b0e5e0e18168245ddc24ddd5bc81ea4aa6a8e670e9b9c0093f9cb81621113d62ea92cddf2f1980664eb1fbe9464f24036083135bc3f706573d6b3639c96a3f2693aebee8722a575647a29f888c0cf027532441847f2401f3739197d7dbd7d51d4a7a76faadf9ff69ca1bce7357ff41170f2b0da247c8b73985a42618b97aad1c55141891a2fa523d03239ec133d717f7bf2b4e04d628e7ebeec062e2dd2d6288aba6cb4c1bf1a382ec2396585f2453bb2d0e66609c1be720042ea2518e6067207363639c9417ccfe536c9e962edd133e761c1522cc85356ee17e642b5427a655c997b90853351f5957e3b160e76425228a91e1c831d68d90b059be4872e05dc3512d92c47ed5f9f63f3f96daec5cfd25ffddc7feccb6187157d11f3b0d35cbf6582c9ecdcc598b1188083bde361fbc43bede2faf3437d51b0f66699fec43bc2c7670bf65b410dad2e25c1fbed2a54e3a365a41917a9d22e0de7b76e1d2b11c63ada87f6f8e7a3c846ca2abc5fd8ad6318b5c26a5d35edee84bb3219de0056d9ea802c70dc700a6dcd583c8ada4cf4f1517bfaf465bc54d574b8ff577653fe8579dceae8ddba378eb695af739e8c717096e99bff81429bed572d354dd53befcf8ef5e47bcc99ec2ba07e9b48a0d969ccd2620b545e64d4854d7c5b14c384151e1a8dc3215c08234c261f8dd107c45215436f035a94a2bc950e15a25808ae82eace6d4d16eaab97d8660b1fcacf1cbdb3c4a368e4b6465713de5896ecfddba7923d7ee8f1ba8b7a33fdd7b8db37e7643c7b2376e77f4acfb2a7108c49e2f06e5bf169966540e7130a34f4e80880a995b0cb4af32d73661d4ae1d0e1d2b9061f945f7403e95e9182d625a8eeb588303cae64c332f314c11a34a5137204d2b135c6e6353d05cbc9f6a9c8c488e621fb91b4dff84bca51e1170eb11e4e5c3dd3f5da235db3935898b11084bee16376dce9ebd8e5c9db956545b88892a29316a6de4b7298f668880417a4eb2f5ba9d7e954f4ea858a5807cd79ebdfbe046152b1f2ea59c7a9fee467eccce7fbddbe8917f30bf02ac2c852f7b5e663019e56b325d38c3813e86755b24795b4cb0ad82ae81be069a592e4ad68697b4417bddf82f82e2c7dfebb20a147fb13d6d6dee41c14869c99a0c6038724c983c78ebfb3ed095452acc0eb0bb2c62a64da0387b4aa41f2256a23e49f32f1750ee51bf3e2aee66341d929198c3489a610e16acbb78d631b5784c7924d6b7299244aeae00ab016b04e7297e8d990dd0a99d7c5de9ad1fa35b5ae38211689e8d0956ffff46b90147b723032045cb3ae55a3a5300d8ceb455cd25bb6d15dc9682887c9f59964adce21d2238c15f19b82dda610dbdfe696842cff32a860b1cad914de7ed80e0bd6b6e56edf16cc91972ec301a56f3ed91209a2df1d2ec0ef48e80e28de653245b58268aea31e8752d92d23410ce79bcef3098fb89c419b862fd0f571613e2905252535e3293df8430968dc5f16dff7ed5c539d36ac271df166445745863176e7b3038aedbc0ee8e63d6128d8b699decb65eef921181102c41152c576e99406f8fbe98f3332ce703e6f386b7ea00ae2682a9971f185f61f9c94e46238497ceb067e1288f8315956b18115895d011d99fc8f1ad21e0de94b4f54a3f05669c7487c7276f42c3ed505b4dfa2bb7f1110c5881c081fe2704827fa167f666e68ebb8c0966860623b0f86e2bd8237f563463e38f7630a82cd23bd3b7894f3206e5fc2654a8a1280b286ae1c9ee80f47a8ddd9e01a92bdaf8cf9c5f57a67d1892fa04032976080f01b1f244c0d9f01b0e396dc579ef670d52beb5b9431cf145402ecc994f596a41f76020ad28fcc407652750a8caab7be45ab9a2f1619628412489e0feafe0c45b6c5f82e714f66f21ddebf9af2c9881dc04d41f89c8a9dabd210d40f5d19ebfe7a53459ed56a567ec58ec9a98469dcfabd3f84ca8046e08e466e22d80734c454dbed17ab191247fb8218ba72293bf6f237c12c89f9c891e2b211146d2c2e8cc5e17f09d19f9ef57b37f31d3583511c0f187ee1c26356f77eb0b042cd54f83b19c3670ab9c141f3d508fda2b8e8ba71c7d38d7bddcfd690dbcb59d69cf40d4411d32f5cfdef66ef600f4cfe83eb243583a1ec0a6451c03febc24688f082e1b682cadec35a40d5215ebe2266549ec81a633b5b9e646f514454be8da2c5051f55135677d559e11c510585af89b827f84a1abb3a620dce4a38010f68b14e9fbcd43988336dd6c950e271f9982bf7742e8745e72d414f4e9d3a3b564ec4a840c05cf1cdc444e73e9b9217d0160e387417b37557b2eced5e67e3b6f9215d066d354e481c380fa285cfd15e0cf9bda0fa07989edcdf29a93518d5e4cb4ab61935585c1020272ec99cfb44d337145aaa3400000009cf325a226c1e9f064909ad91dda1bc772e477f925bb69a3018186f8dfff687969b7650b16718ccc8d77e7a035b03e690e869cfc0e8d160e5c422e40aeda27a0	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "00188006B0C40051"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000000f0582eeaa56edf165e8f713aca6e4cfd9ac709e67cca6b0e35491112963638d000000000e80000000020000200000001325880603223b71f5712e3bca3e05c861f7360d8de6e7bf4c215e949f957c27100d0000a7ac0b40da7995d3a3e0abd9b94c2fdef1571cf714b949e98415f271b46bbaa3bf8c4e5277dcfda8d90c9faa035d12302fdac0d70a03f6cc61ff52829bd6aa736e20d2fa1392adea6aa7e9c04078903f03d4014c4fd7d7cf49399938971414cc9440d429fa7542ae6688bb5ce0cb7ada12a80acc0366f7bdaae82b698aeb0cb06d195f16be9725e9ede42b546dffa12573325fa8295d03a18f6de144c76b3fffe6e82968f90b9adfc8bf0601dfebe97aa6ba726c95f2f00e7a001136c881c4db30e65d7d5c548daabdddcafec561179b9d74ca38be979d28262d7f54a4f6dc6c9cb9d8862fc692a1591973cedbbc24192d5e021d19b9e54081d549131b24e98271f2ccec8ea3554617455647b4dae6a070f11c0e330cd782d53666ba97fd074a9ddaee2852698189de6f2eb27e9df03e929e22edcf6ddd49270de38a231d5658e907cb996c5302d9187a506e2fe68864b2864183d0411cb793646ebfa7649bd553d057a5b10f37efb703ebbaf3351bbf2d2e526da18693d14820fd3d0683e24db8bf75abe7c4eb27ac948d9b4553a98195d07e51fb58009df10b62cfd39d2e48fb91b2c3bec120fc28c728fda05bb5cf0a6079ddce3fd38e6ade63b770663cdeb6a70592f35b0e69eb84f17e33f4bf10fa3b656308aae8d8666cbb063cda84e448f948e762cfe5106f45e6052ed6972c49fd1af27b10832612960283ecaf13f46e0c2440a8ecd90b96fdd0ef2305cf9ed3163ebdc40d6020d3b391ddf251bbe794e56370cc86f8157415a08e4b0ad3c67dd359d2bb4a5196c0b09e1bf557bce6315cd638ca1545c19899e3bdb1acd5f91cef427052c83e28927b50c48fb9171c954af0fafd28abd208194180a712c4a5b6de3308bd1a6c3c57596ad21aca6cd404dccfa08db0accb0c7417b28dd7e3e0c95dd49d68f03d1c008eac56cd4ad8d573c9e608e22888b68cdde769446cb8ccf2402a8d0970772c523f1a8ee0aab1d4d2ec5199bd6f29ce1d7ccac027f6e53fe2cd8acef42d1f5abc22a0f718d8906e3dd3b49064c91d8863f13bb1096a7778fbae21abab327b4be5fff92a4596b5b9369bda28e9fe6f4757fd50c63f68403575d7d5651886735987da6258d6be2e4ce8d12987a31c81f526e6d4e5d7d57cbbcf1944e89d5e1e4958098ae612a512c736fe60ce030932ee97fb8e27ecc026f932754978b043d490a7496a722bed9141c0bf1e384d61795ec7466fce2fdb9e689621d98eb6328568fa1958a393a781deba435d5a46a5f46589873561cddb2f3917b797185ac65f4ccca96bdfdb6ceade34dcbb8896aa0dfdb70d6f37b22896e80ae3e9b8e6c0dcacdf0e01d8ea6b280e077a56ae55e9d4ab6fc388864097f78f5426a7b91203b0943086401e9a3801fe7ad4d8bcc2bc136991eea82a8d84e6b3a94363ad156203216d7933c8d480289b22ed28e3f59698fbd62fd2438be1268fd1bab7a031a96743cbe3cdfa6f7d3c3789a242e142ae8f5b8a4f77505e640a21ca8a2c40193e2857e99a9dc16f468cc9006165877bd6307876ff5212171763aa1b1ccaefb08b30961a49cf7869b5fdf6bf4d31dc39bf623cb3ae3df3295d5dc9cae28348e750da4ee1dea4cee002642b592677f47932ae41441e2bafd29a5ba279c3bde6b5f18c6b81dc9a4382ba52055e0c71f294a6c8e81482c298a433dbcd499afd460558a6315536a2d2a5e9d6c97673092b3d74e0df32233fe1a641ab15d918c967b6552c2de43e223b9ba09e00336b723a2ae60ab7abd01cdb5dc77f46fcd8d433a7ea16d6ebcde19216c885543bf091433b42bf3714f682bdfb1881d4bc89f56866e016c8039befab58a7ef51f547d3c78b66ab601282b1c0bb841e45282ce4ece978dfaf9bf75895ed4b67682d466e78f78d3c4b1162370bc0b57ea35597cceeb8bb84ff8bf6ff219c7eb72dcb7e3ccb59c74325218da29fb060b90e7959130bd9866f266917feac45fa782a39851f09755beef607d843472b9d8908189efa7e5e26eb50a092ec537978f9f11fa1ce50cfba14e11203d9e2ff22cb355ac2ecc2ff6872e5b6c0458c0db436ecc6aa8e7c361bb6517db2c5e23e71901e1b78d1938b7d2735d2750884b449269106ed09d032c4834efdf259183d2cfe88467d140d1522e2bed14a48aea6270ae95d4aa26491947542a1bc4273c4ad588d1ec4ed6c5c0f0805ad48f7eedf6874dd3af3849f7dfa520d9070c7ca76cda76427b7268ae79ab1817c4cb1325d0ca6536d334db3aa70a125db3534858de463d2766ac302900d5d63064f1104d82259081d66e8a83603951eddb80a5def5a8ad0b24fe41687e6886a96bc25ba028aeb97834407f9dffa4be3e0452c72bcfdc079d99d775619cb6931bf4af48ea8437e5b03a92969c921be71a8986aa704fda1f09d3321fd4d72d031f1d646d46c7accdcf7dd39ac02414b382b8a665d251f67d6901b77057457f12b2b2815ea566080fb740bf175094f046ebba6fd69e58c684282d9ac7df86b6570d963f2f8a50866fd4e6c71457a71f3ba3d325b5f043f655022efe66efdd049a6993b259768539246e4b603cf5fd167fc5fcabe1437936be91f7016b8a0097b300e4b4c5fe998bec11c6310320375c5037a312eb978ef4e84f2506d135ab22a72a8e6a5c961c3c1e9b3890ee3935f770d223ea0c6235b698d0d51b6d26b44dfcb610c70ab947313dca9d5f6f19869e10d401b2fb3f2e0111adf89a4e03803cb74fcd5019eb1936ab54428b87eb734307a03ba4524e0f2a0a065d7b67d950e840625b4490242dee4908dcbbd5cb4d5197dd29cb53f9449cc6877894e009e428898eed5c13d3a2a72be812583b5932b5224eaab039d41aaf3935175bf7bf5ed773eb225cd14e108aa3a066beff431ce37172b773d7774dc6b213a595b727b6a2ae896a8a15d7a552a97299a5d1a94573cab06333f761465c5f6ec69f9ff4235cb03cbe7d64af24e82983297af671cb8623308ba236a7dc66fbeb64222c83be5ff123441298a39c6a73ebed35eb601e5f8174882d621e1b2b1121fe2c99e81ef9dfbcb792fb5b7f078bc92342aac0fb4cd92783ba3f94de323bce6ff2b88a69d067bb9d0e7f7ec8efd01f06684d4a78f2a223469db865db6cf81401435c4d73266f4f4855fe91235f216dbf329c6de5a7d23670716a078c67dcdee63cbbf3a4e47291c883a888e4b775cb5e81d45a7a6775334af69637935a7258cf197cdebddcf2ca83f8eec717d7272b517de3fd92b27370dfb82a1b56e7593ca952bfd09ab81ee436c29d755ca8365225e20311a67a15f0bdc5455164841f6ab691dbb46fe79b558f00c2242be5f97ca1de796034e0e31fa77c8aa1f5199f17e8fc8f59b5b8175a0bc2c9e6abef56d850eb56786a1509d56200e52d2d74f6442f24d0114cd2f33a2b4f9cbb6250373a31da5473a5b3128f2d46ace543362f89c664394c5f496095a602d34b7d8352ce50e3c75b64e31f9b8a8d017f56004d30c58be7d1ba5d601499648248295cfd2bc58f75d9aa002ff63010b6e165419624381e4b2146b2cc194814d9ae1667e3616492cfdda2c16eac2d7f783037b70f643e694fdac6fb8153289575ab88c1e3c2b989d284d5990b0b5d4a929d47ae9540721a4c22969e0a21fe1966af789b9b2ea18a716d5abdfb245d5e396d5e0811fa70bacb750f1faa18b9b09242493b2100ccb63752901fff7186f217a5e253c063a2709b7c42dbfb3edc40a75d62015527229e0f2a6acb777ff85a57d0098a03743917fb4891939bd51a489dd10d21d5a5104baa7cbcad25887dad00b1494ef479f0e307d44a83611a8defd8ddebbf6e2f78067be78b1853f3dacd0a658ac7da4ac017f64b939c2d215846bac664445be77554c72d2ac0f0217dcd908ec3e076f9c6813b456c68ac39e6f6013d1a3d678d5b0fea0f74f448ed1aff5d569a27db184dc7e6698e296f7737ca6636e82d9725c5d4ef5a95e2f9fb58838ec713f32b60661736b8c6e152c79fe0cef8cf4e48b8416e9fa7b6f6dbb010cfadcdb3732f0d4f98aaf4a2182d490e9128a980238032d0fb9f5bf04571ab7ab2cb4564ba27d3c86820ba4f64a3b027bddfb4b7fbeb3e471674ad763f915c886c763fa80162560f8e4a709b908b91d0131bdcee44acc3acb8c9c6a17325f96e9eba58ab5ffd1a65a9a875d017b33f8cde71be9071a7cf08642fc9ac4b805e83731a51405f75da9fcf4ba230af4623c9300c85e91ad8be3b869feddb0052b4eb6a31f8fb2c462a2dba91805ce4b5c9cc80f4a066eb1b5976bb8cb33f89ba525d99964593ee1b8f21d297c2fbb165566b3ec84e387dfb74dcb2097aee063b8af406e2c5abe9af0eb7cb036fa979783d2bec01971845c6fcab4a555b308bbf1c59c0d8723b8a0f2d17f508f11d3966ac5af736239dfc0717cc3b3cf67a24df76588cc7cd0d3495050c367aa400b045190779885512200da54f3b258a990575985a0a3b33f49a6ce00c6a3bcdef58b16d787baf151fca8d4458e29465c1b7d602de22f4848364f813860b576286abaad9529dcf1db85ffdbde7f142ebb3a303ad05ca84f6729d33486f8e3904e5d083ece65fbe72b945a9fe0033bcb7b9f2d61a7e5e82ace570ff901d4da5cc9a98351a0b2d17c7122c7ef17561593b4d5f468bd1cc4536d1e27af96c16e7f9b86d79967c4e81c9e38f99b8c2975ac88388370a9406fb4e02cf24c4000000025b886dd7136449e4cf2775a73df0918f0282e7622bbe1119c2986e49d71f33c5f013711ef58bbd766618cd4fdc4942f37c26dd477b708a375cdcc931fde60f6	svchost.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

4552348445415f5a30a31366a5d5e126.exe

pid	process
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe
4244	4552348445415f5a30a31366a5d5e126.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

4552348445415f5a30a31366a5d5e126.exeexplorer.exe

pid process

4296 4552348445415f5a30a31366a5d5e126.exe
1036 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

1036 explorer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1036 explorer.exe

pid	process
4296	4552348445415f5a30a31366a5d5e126.exe
1036	explorer.exe

pid	process
1036	explorer.exe

pid	process
1036	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

4552348445415f5a30a31366a5d5e126.exe4552348445415f5a30a31366a5d5e126.exe

description	pid	process	target process
PID 4244 wrote to memory of 4296	4244	4552348445415f5a30a31366a5d5e126.exe	4552348445415f5a30a31366a5d5e126.exe
PID 4244 wrote to memory of 4296	4244	4552348445415f5a30a31366a5d5e126.exe	4552348445415f5a30a31366a5d5e126.exe
PID 4244 wrote to memory of 4296	4244	4552348445415f5a30a31366a5d5e126.exe	4552348445415f5a30a31366a5d5e126.exe
PID 4244 wrote to memory of 4296	4244	4552348445415f5a30a31366a5d5e126.exe	4552348445415f5a30a31366a5d5e126.exe
PID 4244 wrote to memory of 4296	4244	4552348445415f5a30a31366a5d5e126.exe	4552348445415f5a30a31366a5d5e126.exe
PID 4244 wrote to memory of 4296	4244	4552348445415f5a30a31366a5d5e126.exe	4552348445415f5a30a31366a5d5e126.exe
PID 4244 wrote to memory of 4296	4244	4552348445415f5a30a31366a5d5e126.exe	4552348445415f5a30a31366a5d5e126.exe
PID 4244 wrote to memory of 4296	4244	4552348445415f5a30a31366a5d5e126.exe	4552348445415f5a30a31366a5d5e126.exe
PID 4244 wrote to memory of 4296	4244	4552348445415f5a30a31366a5d5e126.exe	4552348445415f5a30a31366a5d5e126.exe
PID 4244 wrote to memory of 4296	4244	4552348445415f5a30a31366a5d5e126.exe	4552348445415f5a30a31366a5d5e126.exe
PID 4296 wrote to memory of 1036	4296	4552348445415f5a30a31366a5d5e126.exe	explorer.exe
PID 4296 wrote to memory of 1036	4296	4552348445415f5a30a31366a5d5e126.exe	explorer.exe
PID 4296 wrote to memory of 1036	4296	4552348445415f5a30a31366a5d5e126.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
"C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
"C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
PID:5084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1036-139-0x0000000001100000-0x000000000110F000-memory.dmp

Filesize
60KB

Download
memory/4244-134-0x0000000077140000-0x00000000772E3000-memory.dmp

Filesize
1.6MB

Download
memory/4244-136-0x0000000000340000-0x0000000000388000-memory.dmp

Filesize
288KB

Download
memory/4244-137-0x0000000077140000-0x00000000772E3000-memory.dmp

Filesize
1.6MB

Download
memory/4296-135-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4296-138-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5084-142-0x00000248C5070000-0x00000248C5074000-memory.dmp

Filesize
16KB

Download
memory/5084-141-0x00000248C2AC0000-0x00000248C2AD0000-memory.dmp

Filesize
64KB

Download
memory/5084-140-0x00000248C2A60000-0x00000248C2A70000-memory.dmp

Filesize
64KB

Download
memory/5084-143-0x00000248C53E0000-0x00000248C53E4000-memory.dmp

Filesize
16KB

Download
memory/5084-144-0x00000248C53E0000-0x00000248C53E4000-memory.dmp

Filesize
16KB

Download
memory/5084-145-0x00000248C53F0000-0x00000248C53F4000-memory.dmp

Filesize
16KB

Download
memory/5084-146-0x00000248C53E0000-0x00000248C53E1000-memory.dmp

Filesize
4KB

Download
memory/5084-147-0x00000248C54D0000-0x00000248C54D4000-memory.dmp

Filesize
16KB

Download
memory/5084-148-0x00000248C54D0000-0x00000248C54D4000-memory.dmp

Filesize
16KB

Download
memory/5084-149-0x00000248C5580000-0x00000248C5584000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads