Overview
overview
10Static
static
quakbotsam...c1.dll
windows7_x64
10quakbotsam...c1.dll
windows10-2004_x64
10quakbotsam...e1.dll
windows7_x64
10quakbotsam...e1.dll
windows10-2004_x64
10quakbotsam...60.dll
windows7_x64
10quakbotsam...60.dll
windows10-2004_x64
10quakbotsam...1b.dll
windows7_x64
10quakbotsam...1b.dll
windows10-2004_x64
10quakbotsam...a1.dll
windows7_x64
10quakbotsam...a1.dll
windows10-2004_x64
10Resubmissions
23-03-2022 16:54
220323-ve19sahca5 1023-03-2022 16:45
220323-t9cn8sdedq 1023-03-2022 08:56
220323-kwef8sbae3 10Analysis
-
max time kernel
138s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
23-03-2022 16:54
Static task
static1
Behavioral task
behavioral1
Sample
quakbotsamples/29148f550d02cf98d89efb53f7137da28e91df43790f4fc052a0f405f99edcc1.dll
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
quakbotsamples/29148f550d02cf98d89efb53f7137da28e91df43790f4fc052a0f405f99edcc1.dll
Resource
win10v2004-20220310-en
Behavioral task
behavioral3
Sample
quakbotsamples/62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll
Resource
win7-20220311-en
Behavioral task
behavioral4
Sample
quakbotsamples/62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll
Resource
win10v2004-20220310-en
Behavioral task
behavioral5
Sample
quakbotsamples/a16db0d2025dff39a4a0de4071ce0e73c6810ab497453ad67c16ba0980385f60.dll
Resource
win7-20220311-en
Behavioral task
behavioral6
Sample
quakbotsamples/a16db0d2025dff39a4a0de4071ce0e73c6810ab497453ad67c16ba0980385f60.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral7
Sample
quakbotsamples/a5bc6aad1c3205857cf8d29058f8a5283bdc743b9965b5b5d2e69df9a9b6bb1b.dll
Resource
win7-20220310-en
Behavioral task
behavioral8
Sample
quakbotsamples/a5bc6aad1c3205857cf8d29058f8a5283bdc743b9965b5b5d2e69df9a9b6bb1b.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral9
Sample
quakbotsamples/c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll
Resource
win7-20220310-en
General
-
Target
quakbotsamples/29148f550d02cf98d89efb53f7137da28e91df43790f4fc052a0f405f99edcc1.dll
-
Size
260KB
-
MD5
01b9cb4752f2a33d563fd09089d76571
-
SHA1
8aa2a65b78c1da2bac332069f53b6283c46f9fc6
-
SHA256
29148f550d02cf98d89efb53f7137da28e91df43790f4fc052a0f405f99edcc1
-
SHA512
2764312e1608927ead6467c885ab5155d6fac3ec69ab856991a50f8af0f61085901c43fd4ce2d7f071623bb9e0bd6d478103d9ad87ae6219334fb1102ee297aa
Malware Config
Extracted
qakbot
401.51
abc105
1606839097
90.101.117.122:2222
78.97.207.104:443
189.222.242.165:995
95.76.27.6:443
2.50.56.81:443
96.225.88.23:443
47.21.192.182:2222
189.222.242.165:443
197.86.204.38:443
84.117.176.32:443
93.146.133.102:2222
71.38.13.243:443
96.21.251.127:2222
184.98.97.227:995
58.179.21.147:995
187.213.136.249:995
65.30.213.13:6882
80.195.103.146:2222
106.51.85.162:443
187.227.87.235:995
94.59.236.155:995
94.53.16.196:443
89.137.211.239:443
190.162.118.43:0
45.32.162.253:443
45.32.165.134:443
140.82.27.132:443
173.245.152.231:443
92.137.138.52:2222
92.154.83.96:1194
190.220.8.10:993
151.75.13.83:443
77.132.113.187:2222
186.147.222.63:443
2.51.246.190:995
69.47.239.10:443
68.116.193.239:443
96.27.47.70:2222
68.134.181.98:443
197.45.110.165:995
86.99.134.235:2222
71.83.16.211:443
78.96.199.79:443
189.210.115.207:443
24.179.13.119:443
74.102.76.128:443
84.126.11.130:443
176.181.247.197:443
173.169.189.169:443
187.149.126.53:443
68.131.19.52:443
189.140.45.48:995
86.98.34.84:995
208.82.44.203:443
200.30.223.162:443
184.21.136.237:995
65.131.47.74:995
71.197.126.250:443
72.252.201.69:443
82.12.157.95:995
187.153.119.36:443
24.71.28.247:443
72.36.11.22:443
181.208.249.141:443
200.110.188.218:443
118.70.55.146:443
39.32.55.12:995
62.38.114.12:2222
104.37.20.207:995
172.87.157.235:443
185.163.221.77:2222
197.161.154.132:443
83.110.150.100:443
151.60.163.18:443
73.51.245.231:995
67.8.103.21:443
37.210.131.246:443
151.27.89.199:443
79.129.216.215:2222
75.136.26.147:443
94.69.112.148:2222
41.97.183.51:443
5.13.70.10:443
85.132.36.111:2222
67.237.68.126:2222
96.247.176.125:443
80.11.5.65:2222
184.179.14.130:22
156.205.103.107:995
67.61.157.208:443
93.113.177.152:443
24.209.209.72:443
197.206.132.79:443
72.240.200.181:2222
96.41.93.96:443
85.122.141.42:995
108.46.145.30:443
2.232.253.79:995
79.172.26.240:443
5.193.115.251:2222
71.182.142.63:443
72.28.255.159:995
85.204.189.105:443
196.151.252.84:443
98.240.24.57:443
67.82.244.199:2222
189.141.31.12:443
193.248.154.174:2222
120.151.95.167:443
178.222.114.132:995
172.87.134.226:443
151.45.108.75:443
173.47.125.178:995
24.139.72.117:443
45.118.216.157:443
74.75.237.11:443
24.187.56.74:2222
75.109.180.221:443
197.135.177.36:443
190.103.55.108:443
81.214.126.173:2222
87.27.110.90:2222
185.246.9.69:995
217.133.54.140:32100
78.97.3.6:443
189.150.40.192:2222
87.218.53.206:2222
181.169.88.203:443
94.49.188.240:443
46.124.107.124:6881
83.202.68.220:2222
47.187.49.3:2222
83.196.50.197:2222
2.90.33.130:443
109.209.94.165:2222
79.119.124.237:443
2.88.53.159:995
86.120.64.243:443
116.240.78.45:995
94.53.92.42:443
181.129.155.10:443
67.6.54.180:443
96.40.175.33:443
149.28.98.196:995
109.205.204.229:2222
45.63.107.192:2222
74.129.26.119:443
173.88.7.176:443
206.183.190.53:993
94.141.3.242:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
custom yara rule for qakbot 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4068-136-0x0000000010000000-0x0000000010041000-memory.dmp qakbot -
Modifies data under HKEY_USERS 16 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B67709DE = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000084904d470a7ff5ab71c00951a0d7cd17c36cde87ced8df5540c37107450747c8000000000e8000000002000020000000f2e2c49a8f74bdb906284d5509f64834838527c1ca7c44873b2eea7e6ae5fcb980000000ff8d629b73476a5fd93624e1c2ad744ce918fc0c92346db1f231d612a3691d23335c82a91c1cdc71bca9e23f96a881e14b32cc6284054c7e6b6b9ae907a8791b406508c199e0fb70ada3f1e454f375e67758f1df487cdc5fc1d7c8fe789b63e042541078311dba5c9a8c99b7633854f5faa2a75951f140936ea052eaeec6655d40000000a9c79f03bd0fee0bad710ce70bfbabb11a95714a685df6fd4d23efed82677533976a135e077004afe46540180174976aa9fc0120345dcf52497544afddaac444 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000025d19009fb3ad65fc12ccb87f67b0c97b0d3816e4bdb21a6eed71690f6428088000000000e8000000002000020000000ce639548946fa4d7057450a4ac29edac847741655a4cc0796024d8aacbccaa6c200d00004a96158fb3da040faba38f1056131ccd522a26211859ad301c34c78109621dfd022e8bef9bdfcdb0be181489eee42fb792e79089f3a472e6c7be158901497cde9454c6293db19d7e041b15c0487b6922eafe45bcb3119369e2e9e36b80486ff4b70c11725ed6c8e75cb2fbe52e3da29f2229c82628c4293c07f137109126c8907fa7f2bf31e388424bb02fe8a4f3f50c105f9c9875d26f6356ec912526e093311cbbee821433eb3195751ffa74ea42c2a55e54d42543ee2aa0dea671285ee6ebc6f7011a0748bb81f384a87adc9c84db1856b6bbae7379892ee5dd937514605610a910ff8926042e819ce7c8e0664f8ba749fad516a8468dd3e69d4793babefcc90e78f1e91ba1ff6b666c22527b6033f6fbf1402e3e9113c41dce0d7b46990733f493995eb62bb6bd20211d66549bbd4ed2c9efd4d0252ac9a510bc99a3dc551891628f4b3740627a742edb37df7cc6211bcd4a38d1346f636de336329446804d3a81a43f6221429521312ff1c49173b0dba5962685ce72d51209f06d569d98a23e15dfa4ba13a9472d1d0693c6ad0579396176813d51358e0d26577dfe82b5aae2f803251301330a3d8c993652c91d40d124e11ef626dfb28b841a8c99e58c6a7b14ce08bf9e2082946eab46032cc11375b13c4a55056d405c4bad2c83500bc1dfd1db3e5a209796db72dee700b9eca529336d7acdfdb08874725a569496c8c220faa44bbf1b5ad5f9068c34278e2010f7555abfa1d16321bf0f1c6813c9453c218b8a3bfb1c61781df46e1acc5c53679ba20dbf969ea9a903d027fb6621cbc2f8af1847b4f93404dae35a24ea24d7f1e05254c9355073385ce4d5cf395dc17add1eefdffb05ed4dc38e9d0ef8dcb001ace29af1e64bb8ff9be9a8715fde84cd76f990beb116065fbe51d0c7e706d132a0bef16585aad769786a75288bd40670fc3614f5dc983391844ef9082477b810343792c074893aa670c091cf9a17cbcdd5e92c197d835ada73984b610b4a0730879cac26c6c6326cfe2721beb1b3efe4e6c859ac565ca75991852203c4c6c54f0e8d2b50c62bdb9034dde67adf3b1cb8969e2f7dbe9662637b204a41cc19cb712e5b757cabb7fe08f174fc04b68881c274cf0a63afc8d9e322e0a45e56d312c0270c4fa0993d850bf4958d0ee9c3b5cf3f9f04d111ba78e7688d19f094b58870fb9b4ab39c4ab30c12bacca5455f6850f3d44354df11fa2e1b16549ee02fe53c45394dfaa91154564a76397dbfac5edee1f166f53ee82b3e01b67fd4e8746d60234a208fa022c70ebbc7691d65aec567b845fcc33c86fee3aabef8abf87eb95c6c42af6e943e5f0f1a36c9a7c235213ef20a8c721b334dddfdf89ca8cd6ae2863a6db7391443521a89dde1b104586394e8d8a0685880798842025ecdb9a51ef98e4df8f60371bbf111833332b39829e7aab771d70f1943860a3e5bbf9a65a87d452947269f79da5f11967ff4c5b64819c0645624a1e78186b18ea210166ca0af8223813a6da8fc4095143b96e062f86b909f8ba0ddc9bfcda171632236edb0039c7f627b812921e3597105294ea1646b8fc5fc0a5cdff62b007c13dfb68e337636272b55ba100b918099565435368e75c8882ca3e690d04cf97627eaae69a8aa197e5412ed810480e5580f8896a1ea06b9b51d2cfdae90ca0752a6f1ade8fcac108300845ea10a0c36e81de679d541a4c449acb22b24ee83e6a3201976e54d5e70e84d82ac3c0d2e935e7d86ac5348d78e55dd6b554993aa088a0c5e5934dfbb4f0557792f1512eb49be2c7b1d823b0835c38eb547e24a880b9c44a1f8456f2ac207a789d06a1b4d59755aaa8d24f4f6a981993e002ae3dac1127a70d1b2ef0aff107fb434a308e3de53e94c2ca3b7d7e7336626f65db00f8aa825606f8f95fbe854ea0e08c71207414c2914a0665c09c879f52265748482eaa07af29f0c515b74ad90136edc00579e5f98bf50ff993ca63cd951e1a8fb0da99bb11fd4736ad4d5f0b1732c264cf8167a461e6648989ebb868a89a401c98ea465c177459b46ab67ee89f3af7daa1cbfbfee09ea4a0c5306ca9c08a6b47ba55d7e2231772c740b9639f79a836d8b7b4c707bbe24f2c38409f0218746c8646085902366a9ad6d4bcc275b0659a1e074b5a2d06aeec42d21a749db2e21e7e9466f9f31a27c2d9034044dca651dccafd2cb45b7a6e3d6a01b0e5494ce589e71050480800f8389d586d4267424aee90703873fe0fecd9c5c911de4565fb99cb1eccaac2d63016d111c4012d0f85c139dce385cf5094879f9aa058a653722c8dd5f53b5848125b79ab9aa7c03716396bc790b420915cd483755f5f04a9e19812f8df04e0bd9e15de061fe530955c1b01ee4717e3233376acc2a31566ba47de2f764d4999d563ff9f8981c2d102ab0a1b658656bea964fa25b6d279a872dceabd383c27c0a14703458f4a20206eb7f3fb538308c9e28f712e926a3e122237db1d0d419f913514fe2061a971e230529a279e7165c76c823c8821d926872a135a78d54bf4e3a8a125b2ab3442ddbf83eaaa9ad21784a1215034eab35c3c5203b80ffe4b699058b25ea5eb9b1d8275f8bbb697e4668a74890857f4406480d93eb15ed724d415cf2f306e830f18374378c6864acbf8955cffe4bafc0d335705c813c3c655839a1faff6cc012fe2570a7c997f945177bcfb2b651e4f698b1581a11dd7ed47e569d2f359427d2c75912bf49f0a35a70af0997e794e44051185bc999112628ad19dda85e1bd5c92b42335152287ddb6c1c7b93f39d2c28fe691fee281e6301809a7ecc1e8c3539710cfc22010e6567c1ffa87d6d956ba834c27052ac16710b50082b8f27fb44a11895f4bb3dd2638cda62bd93b285fd25e6f5578e3329089f9040a80ef3357d17d53562587f3647cd720962d4c9fc530497c3d507298bb735adea7fc4b816994b269223347eccdd61aeba3394bdcbfaa02f1e32ffa9fc29e52d49bd1a1813646b7e68e42629fc0a9791c2c9bc72b50ac79822efd2c3644f2e0e269dfdbeede9fe2c4c65726fc1ce940d67d6d9df28cf034b1a2b0fe34545f1c2dab09c8418fc2fbff23c5ebb3797f73071d5ec0417ce2a822cb8a498058f3482033488e326c8fb8499433ff91cf1c917be2e899edce02fba08295b7492a7916415abcf7f15dcac650c0831402c9781a8d591cddc54c16d634e2e4d77412a86748256b5669c6f756c479d0e1d09202de767a999ff793ed1b0631798d6ae23e00044fa374e0b0ac2c4c392a9cb4a592b8ff61bacb62349fafb46ff064ad01fe07b828b5753346bf43c91e7fa9ca6574451515d819ddc03737114e6b4ffe6f3b84815bd26b5745498bf11c3799d34922044f0d2b0e6322fd025b466bfd3c1dd320019e9fc1cdf63d00ed28c31aa58fe5f338f1093192cd59454927460d804c35427428dad935776c1b865ae5c423f4ddfd815293745ab6bb73a58ec2fd661cc21f33043c6770d97da26ece919c7c04d577c0ef5bf3287afde6a98f5f71facdfbb7225528addd1f079f936264005e8193a272cb51fe834c0c1a3407c7f6f9b9c4ac11509b94e19809529bc5e1df1563e8f6034db3726a5c99036da7103c4d51bc8fb5c64434694b884dc07c2ee312d89e20552a02d46da97224a6ffc8662bebbcde8a0bf82cbefda386f84f780bb0d856013dff0f44c69fb54235d51fa2eef004bb97e4817b1f1a73ffd474fd08a5a39ffac034bf1495d637c55dfd7035a7caeca7b20a7bd8be53ae09eed35f9a1bca9633ee8af85efa527d3961b173bf8e4e431b0051d9ec6ea89b1f7649c840d21c79dec328abe09cc5ff5877a4ddd57941bca99cb87318a3065231e364437db4a902a9a728f2b311193e8bb16c2f8821daf540a7b12e965255741073090ba4cd4947a4dba2b66321511bbf9cbde2b886f915545270a7956cd92dc1a82154d3dc3556f05b64c8b81e0237e9c803c04bcdcc24983171adf8ec15d8018a98d256bfbd418fa18ebed55734fd5c1374387c8cd5d352c3bda8f8722769b843f33cd6f345e04a2ca33b962acc9b307a1f0e2d3a75dfc53ff40790f314a48b4ccca7cf35406e044266675976341aec39b26b52e1381573f23ce349cecf446e733e25e17c2f25565bd32f6fbd805f21e288f0e39ef6c513ab6848eb253011f6009d0b5cf8b69efcdcf83f457bda427239d3f3ea3a61d33214fc3d8517506fdb7aa12a88b6094d57679ab14666ff82389c163408ce6ba1d1481f529bf2d13ea9fa9652f09b26f66b0983c96fcb686b88626ea0f562fff45a9b7619dde611741ca4cc4d13cf7c22800855df6b4615d6a2825f89f4e3e9b15bbe54c2803178993efbf7b0337bb0c29643a32a8d9334f98e8b1d30fc5fef3cb2e3052cd826a972c9cd88cfe5a03525c06e119371ab7bfe2e1a91bebc0c798e189a55871a2ae98f14d4d8e9750b17be8662c81ae522948f036ff94c1b147c4c785f74bd78e6a98561fdfba3354b6d0628a62c53f1e48a50dd7568c157fc8e1e46c84f76d30ef0589eb4fd83616feaa94e39958430dca049fee8665e996987dc44cb8b96d07919bcd1cea17b1ba20728e3a108eb14d0c0ab51ccca4ca0e9242c26d9fa2c7afd89c5a2b52f8e537b4e89d48ed71ae9af017847d8449b4adb9fc4dfb6dc745790b8009664323a2bfc65f7a579df35db1a76bf1b6ecf2a67c761b888a3397b2fb9bd826baf50276aa1eb7e35c7fd9ee465cd6400000004c27dd0e2ce083c718b77cf0b9cb64d80d40b20f170c3f851f5cfa3628bda337c51346afa1eff3349600ae7fa3f93dbcd506cb76bfd308118912cc8d51636017 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000001f9222b57abddbe3ba1d46d4d14bcf6f8524d1651375ad828f8aad39c94057e1000000000e8000000002000020000000a7aab12d66f74fe6c1f17f8529f42de35c86459c1c40ca4829db1a79e21d72ca100d0000ebfcd8cf6a7bf74ffbeaa0233a3192ff6b1dd302b10da649a53b3c642b5e2df655935f12e5119809dfb5dd876a372f5a0c494726155c5288a10aef6c377873c6d4e953457e2195d26ae5ab4f7a9dcf030dca857722876bd4e4b97f977cabdfb60d16154cd68dc5bbf545c517f57ac3a55f3a47f08eb718873b81c00d57306022dc3be2db95915f4ac50de86ec8358e45bc922a2f1258d91ca45fe999a1ef5fbb603e76886f78f349de2956d37a55aa99d0fca7389e87fb119ca89dbb7ec273e050d2c673aed343993eedcd1a46d454563a0e33d3a0922b19a2970c8187d6ef82580a171824c0c2b29af60a24e71c9b9a729558d57b492f5ac8c391463897fe811b5419e47fe44f8325e6df107478f1790b06ebc221f5ca3b6b32ad33b5ba55d7059f37342635585145517a85d8629bdedb51eb39c67c91460c7ca662b36aa45b355a0e59d053ffd6649592b690cd699384c50f9b260ebc7d5870bcaa02212a82f37ea40dde1bc169a8be375ce756261e9e5ced4592cb9e84bd50b4121e38cdff2f2585bc53f44cf2d701e3f9e459ea21404aab07fdce1d4970a3e6282062578c67991ba7dcc39ff47a5312e3b67c5c99a08481dcca84109510e73d52cf267b3354f8a88225171941b42e92bcfbe02ba37ff0825a5a03444143078d6a7357d45aea076f697dc9b2e724ba4b2948d412fd9eb9b74475b818408e689161e2ba1290791610cf81fefec701225e9275efd6d811deca1b2691665783362a8fc36857fdfadde3b01761b6027bcb42642f005e3d331fae8a6869ad80a1cbde5a1ef29ebac103dccbae80444d2dbbb0c534e76e0343b23ea6dc77f757479ddc20c924198b7731968857614708987fe5c6784f1404f166971a93561686b09004b4c37448c1b54176ae06483621557fca6185ee2f7360cb3e15340389b0ef1f027d8d12ee52424db2f4e7d5e6975fc8aef5b146a02219f85d79c5bb95099f00f6f4ede6a23fa4600e6a7c843b1a19513954479fda1856a6b0f3820b447a9a48a24ba3ce7cdce51033f2e4ec447c7d23ab58df02ac740462bb14c351d65e55d42bbe9045f742f263a5b5917f7f62aa8614016e92bcdc810a630644d2c85d0f262790ef6753fcad7a6f2b66b69fb047fcf15cb072e2cfd35bd9a6e011a91b6dd4c6f160a4aa1ace703466fd00392ac0f6271efd1142a4bdda926bb98fbde40cec9eb9210a2bef24fb2e620424360a7c3b68b2267714841f13991288e70f7bc0996eca667dce4c1fbce8be5558e4dbd1077e3cce445271e798da9b4840f7d89e1bf28c5cf3a7663113e585bfc80b452e705f6bb25170376cc654730f3f28f75b4ea1c9c630d423d1305e45f3ac16bf54945f7b6693721e14b805ff3ad216a949340ab4dfb11fd1137cfeb91572a5d09e857286a6353e839efd3f43348670313e2b0fa7dd10c9ae437b3b0c5a94f9a7fc75e99e0bb67c470ae31b91f43e4270f8c4c627cc6ca88a927534dda0694e49e371be9ee3b4f0bfbf3973b391f0a97654033cd63e555fa7d0b5ddfbdab76c5afcfbc1f2507f985515e3c751c708005d6a2d65469b9b4bec9aeffe291025738debce53a1ccee4c2e0c1067bfdeb8b3754ec312550c567f4a78fdf28dd20f5bcecf0e9262068ebd1fe4e723f0cd7fdaef7fe39950d18f0033cbfb6b987404519f6bc0ce791633f3b24bec56b99cf7281640f1727230ee7e321b796b144c901f80618eaacbd5c768b47ceaaffce8fb9d7a5cc5cb5831da20bda1b90596abbc6dab4de2576e6cbc9b12828bf4a1ee79667d24c676702e594e35a66f7c66680cf2b27f3a47298aa701e342330cefe8fdce225fffd47cdbef39d9db8f8e5d87e4a8790c534d66d34bd646d20458603c2baf8eb96ed77cf4b70d702b36a460751225eaa012a38f3c523818ee50ab264bbdacb32434e626d57a38a4527cc8a73defdc80d32c004ba6aa548e2536249c28dc512a12b615c92aee69e73822586a3581107c3eaa70ab4716d3d101a086c116615be3d7222877f418a700e223231867f5977a4c48f9158d56d6647265df3777c7fdba9dbe8224279bb91a48d317407b8f033ad05a9b8eda31cffa6a476180432de91a678f7476f6092d7e7b5f6484195afba3a84bc59dc8ba0c55d4814c24efe8e8b4643eb65c1f3bcee512d70104edd9236e40b7c585a394754e9c17c033600b586f5ffb19e81b5b910383b774b35866e63b59f740ec74b9fcb03f856ebedfbe065d5972614903a4a50af6a38e19f469fd9d60c8cee71d34041d04cfff3379f85bc0dce38e026d052e23d9ab74d4fe59e59c70700b1a43404229dd89e7cb36175e5859516c9b8a41f2739a63b8111bafa1cde015e3daf24f62c856b68d1b6c35563ffa01431718d9bce24b84ce1a98f1bec85ec8959ec44734145ea8b056a531f8e971dd2dad54006de964e8562248dc11fce0baadafa1174752646e4b6d84ed5779f0c858d329d18593cd19df4d2ce9d45b49173881260c5301b5f105d53e95e1eb7dcfef0fe0d29e4886fdb91b151031bfff50f472aba3c4dc0b7c07a7eac923d28cd885c4fa4fa7ff4dbe858a91953db12bd9c038dd670d4ae471f2854aaf40ac50764aa36a697f29879c9742c13978b8c2b183d67f659b9c306b26670b735af33c822a578a066ee4d889009c29b17a2c2c69441bfa9d336d4f999e461898c11a81689bc3756ae898b1e409616291183a824d96c61fce1ddce801a23041804505e6d437e9975e4ef1bfd094bc15daefdd8f3755a77880004c67abd9e8b09310e1a4f3839607963f636ab1fd2841f17d468b5a73c3566471abdaf9d59dda34f86e1d439527e3bf3bf3eaa01370be361e0ddd2413d1736b4426027959c7ee5b758e6829e0478228a65cc6f7c6b507e313817f0e01696280a74b86624b3458e2e6c76cef0cbd2613dc0acceb1cbca84536a3b69ee8239968eb9d7eea994be629fb97c93cd6c21f42a343851e3739e59623f250f8d26ad87dd6f56d46117496eab860bbce471992cf46baabfbc022c8661858850a4409cbd86c1011b02a230e98201a815b5aa57abe83a2a76ed5871a559606ecbfded85aa1bfc8b9dd5483b2ba30690df65f7d15c34b3647d524815496b317b59fa3f83c6c05e2d04537dcc7b1e326a2c67cb4685207427ab918572be215d63cd8fbacf48f23d6e32d1d1ea8647c56de281b06aac3ebb6cc5ba721c7d35c6a943b03d0a81f9bc3e39ccfd73289d52d20ff1e9a8f39162e172ccd5ec8b9938fe45bcbee39ce6534d0d3844d7795ae1b2f8a4beaaa42f8b99dd4bc03ebe6758820bcceeaa6431b664c6b9e58802bc82efef7cb6ac42fd0b5d63f68fe35c6c1b90fe8763cdd946969104facfe79c4088cefbadb197487491359a3c224e3506dad57cfe880678a90ca1388b6b1336e90b8cafb5a4cbfe25613f4675cfe3d0c3a3ef0529954318c2d2bc45d3a8a1ce400f32fd1af241711ff19de636c4c71196ada2b8f3c0cd92e1d920f83cd4370235218582c8f113200be93abeefb6a6d4f9d1d119f048f90820f394d951f7384c01526c7cd67221c7420c7293a4dccf4b58118fba71273da5ed895504eb2d7feb01a059be5e22ef401bd9062f4092c63005e1d9091efa3944468bdd4513c0645833bc4c89f35bf25f1e43acd8043fea0e771aa66e9ef0a5e3688dd22fdc7566b2c5315cdd2dcbdf8e7afb3b963f456ac3d7dbf5d77b287a5968a323ca27c91e987af67862ee30065c9dc4762338db4f2edee771dbbba845448804a05313310c2bb7df5248558170237a5e182895fff06944a9a544da98358a3738c4e2bf8600021cb9ead4ad4ef693400c250d04a0af6fd34195382f74d83c3315e39151ac8827441eff24e277c365b29e01e225bb5e0770c6d4b215d7d84e3da0ab2c0909f0694f960ea08ce8d976d2ebec69a93cce606c009da3c30ecdd0f4ac25b2c9c57e7aad1494eddacafbf2b55c7c5bee2d4e48b25efbd745392362b2cf383384825f7e6b57e7ddbc036e825a15b977cdb9b26d4a592f795f52f2e0457b271763ec170ee6b74a781c6cc4365b80b84fdb1b4b644290df7ab8b268f351be17772e58081f8fb96d9ee8068548f99be22c5947bc246b7423e52931abc731a934dd6d7dff6fd9f3783e2a0395b224e4d19fb6ee4b97ab73411fa3e1b095b3e2a55dbda790fff0556354e5c0b492b0ffaf2d991d099a2a10293cf6941dbe96009a5ec6ebeca677d483392babe47466790d05c3175144aca971155307c353cfe1e207c06a9c7fa45b6687933156aad1f26b586fb9844abec5fef2fc954408f0cc96f185f400133d49d5c261b4515325ca740c4a6aa1756cf3a5d4e7eac897787a5a078725cacd916c17355274058788601b587b6958b1619c6179fc103a0650057b1d202698eed1da8fa4f217f9996d3460ce49f0be3a823a19676054f4c34fc5844c7a8b5b6dfb9b3cacc7325ff82826bcf53d67af40e0d91841056c3f13547c944648993b27075ddc3c860a90ed1edfdc066eb2c85d78fd0e18a76a52df4a40108e66293c57ce0d375f7c73ddbdc5ced4f7fc8ea6f7a4ceaea39b4628a4a303f9b578aac190b00486acd95df10caa6650b48788ca56a09ede348fdc82cebcf8609875202046d3b5ed569893a4e005379d17aa384dbcbde62d3801cf7d7a5750a6da8daa36e31dc8165121950bbcf58920557e4af8f16db7df3c98f2a673b385d4000000016c55234999751d8ae0d136fa7e34d7cdde4e16cd4c1d4a990100453aff575cc896eeab2b42dcb7b44b1fd495c050cef2e7c38c585a971579e8087f1260fa789 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B67709DE = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000000860f8c0c3deb5018cb675a7a507b6db6a22949df92f526fdc71c8f10d58c050000000000e8000000002000020000000d95c746c2d7aafd438eef2fe2cc5ffa3ee0dac372dc933212f950769cb83a23880000000e3c54304596399a51cb36ef908b0359ea48b5b56e3cb2d1f5dd5967a43aec6df4e072653fd5908340cf70e4955e59ba56ace2e439043f9a0167e73cae91a23d5789c77589c0a70619854fa5633d05119cf0331086e6e13e03776bb70ef7c2aa3fb4dc7b7565dd0ece4c300c0e0ec707bfba46988d42ebb3f8e20a0961a69dcdf40000000cdfe1a11f01c5c55eecf808d6acb4ae31faab5780bd8d3bf52b16313c2c3d92e6cbaf201323b0c8b3803e97d939ba928a2512fde9628d1f0240af06273c6cb5b svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000826dd6e09d5a6e03bba78fe68168a735c5f29e8cc7d6d4fc038229178ce497c3000000000e8000000002000020000000511c81bcb82b45581f06dc5e19a0fb7473f37f09ade1d85c65f3c30446c58d3e100d000064e9668a77b921f94d8066e2ec21261c5fdc580b89189b9d5f85f0db5d37c1aacf5704d43ed1dd6f2b8ab2dfd8e92253fc4122abb41c942e971afd750bc81359126730b3e6c1b5760a35803e2785bf5cc02c5831abe7154e0c3d74b606ea4c2497341e03be86bb58220d22e25dd1d436a5f36721fdb04bfce8034fd330c840c9a4bb92109141869d7e654e9473c6db337d431eb814850d3b72b508515c8ca56fd885416bb7d2fb47efd420b4cce358b5700754bd24885ceb9362b478be26257d0fbf5d0ce7981ba58c24921909ce3adcda019141833dc0b4ca2e21eac1fc05336ba8ab42d232c3be04ac8e33e11862cf14942a5b54c3d5aee6f14377e5200f01b4b1e2d51351a5ddc672d730daabe096025be604503dc2bee00e8b6b14a9594fa7700954514c9e1dcedb50c844cecd6057a5579319ce7cf930d89d588292e609a2c527e79a76f5a36ece30007f8c0df802f5f9fbd95d645e4b75d31db06f47fe42a970d0411b729208f19ce47f4f7aa4fe47da467a7bc00d7ada337fc2db0fe120571a5d42b352afee2434895e4e5cd5683123e69531b2fb3a424b6d791d9da92b976522762d70e1c7106510da15395cb9cbd970c9b3f913d5033cdea6c3047bd642f196aa6c8862354d010fde908241fc0f31f0a900dd75611689acf2f452b1e19e047e9e2969364367d1f7de45c3e2e7e52b5876e1525bf2f6410d0c8c12cf931e00aa0d4a40c213224661029aab1e27d44c1676836c344998edf6bbb530d55e0408387ef90b3e237e2de16e6c751e5376a5f24426715ed4a2d8c03a99213675894e5c836e96548e24129629e365d689e20acc5bfe4760aa325fc2611c4742c319ce0074103b4a42732fecde767b3318745266b0b1f1286eb64a1a449da81ed1bae51a973a61be3224890209fe8328a42860c5198fd5dfa1528733be27df03c8b16de410b2c3bf4eef59010d00774f7df2dae2c971920eb43a710bf795b90be7c20a4584087843addc326df2ec9eec22d409946f7b266913db087775d13fb8fce3ec333c9d4e08dd0c66eb20bd7483de9ba15034d58ee26f720ec6e9ff7576349b7ef37636b864d9f4236bb417616368fd3ed8dbb21dcedb8d75c1b0659a6262e4ea5994ce59c748715e79ade87fcdca4c74f8952a3a78ab9960b92228796561dc37a2a6fd39bdf4766bfb510f5598501a46ca0f4c447638820eeb33a7a60b24cbac640bffc95be891b5637cbc47d46c2578a45c759aa59088c410d25c2886958ddf84780bf4fa2cbd36203cdb30b325ba5dd52102b22cef563ac020c8ed96ab518203dcf085c0e18c0665bb63ecb9ee0ce2b450a613a881fa9c60b5f2fc14591907aa0066543a4b0ae16b419f648403bc401edf55f8c93f3ed27b0380be36891fe36cfb5574537ba102b0431c3256985108a5fde685595f849a4d5a3637845d843aae55e5a7f9c233095f34757d5012db0abda501f5dcaa578e58e0ed9d1836dcf7d9d0ebb98c9bc6ebe28c6693bbc51fde2110fa4e4aab3113b30b6ef76e0d41b7cb3358dd56c9ba33723d53e7479b44953d43ea482692858f4a05a016f78976989c72f4331e344012b361f239a2a69750dc27cc24a0341a12efa122e4ca9ba79018f2211353a31a35d12ba39744a1d2c77a3a4d8a4a09f6bb4de4dfbf17bad13e979808681a0b0234b94d2f6ffbf00e9a81afb5f8412bd11f248c259a02cfa4a143f13cdcc3fed43e864e4fa14c3a567745785b8c4d513f15e7153efe38d8d869c7be567dfdcba321fc5a4c669bc46ee64cadaa5c2e4bfaeca46d27237bf311bf2996e03f177c8923f64134316a25df26bf101a31260ac054b3ebe958fd3059803a4c78fc6050f144be1ecdc7de64b224e30023eadf4752f48434859f3f736bef0af932e3837a1685f529d74839bb1914581502425b730c92af73f14a25d2d66c340973a5961ee2ca3d6e0f8b8c90b1043aa02d7d25924050b15bf9bf10b3e34e72fb3ee25b17bc2d407d2062ad93f6d26856d6058d1f692d29baa86a211199cfb85e797c1b40ec24509b0224252e3deb4b7b42a5e09fd0f47576304e87801629ca401ab32bf5c41e4e0545e8be3c10f2e979d4a1a5dd19d2fe8038d83b284584f07ab693b7dc09fa0ca6f0324f9402ba5fe58ebe5ac629a370158bb71706c07ed732a9408e011d981d45779ef2e5dacae8b4cfe7398fed95f41d8f944cdcfbbb1abdb29b49102021e70f2212b69081a7e232076c136571a993a9b66789fff925dc08ffd8cb207f37de05d1609dcbd25275368fa40d261f20399a9730ac79a913f2429b0e49fad86c303111bc66db87aae027b7da3c81c001a04447be9a574b9c5fbde90cf1bd5a7373cf773529e9a3c5590618e5923aad8acc73a74cc5a30d4aebc9f712982acfd287e4afcb4dc3b50c06ac829c1482b43e07cd212c0288a801c2176a39e08ca5d1151eab2e2d58e835351923ae498b3369eff9bcb49de3e345c2b755563bd2e68c9b26d08d050c8a16ba2e2c8d3dd3e0471787bf4d38c5f3a09183be811973dd114c28e54ef77c16eba5c556ddec033c77e9941ca2265606b52abfc38e438fb974a93f15dd5c9c79da2c287c960fcb75cc5d6a696538cde7465fe29683807c4a0e7fe1ccc67cb3e2dab15cd04fb25a209768a5c1fc47436f0a90e4fe12a832d7750ad56a41f42e5ea052997fbd904ee1fcd341928ba2a5d07ccc86ddb99976c8d566b28a2b95f3fa30263eb475db976c6e86962393cf6d047a9d3660c00eae2f2d9dbbd7b855d24e7a74d25ae92a96fa8b99f87463b1e9bda8de3e053ba2a72344369ec1c351c8673671b6dd35b496267d6e80d5f49dd4aaa488bba6538d3b1710058f869a9879a1df01dd4d64907f78cfe726da37a8ce0d814cd294b1b5c8c053b14a088e85943233095378fe117b8f739f75e3ad55f1c96b2e824afcf2f33ee63de244ab4c7d5c40c4e6225a877a36fe55060db51415e337bdeab71a92b7ef337a82b2cb752329d12c0e2e6e6e776df26d8106cbc95b6da6457814f8c287ecaf8f61e588fa11096af013ebc0daccdce6ba6dd44412928aa77cd5426b5c951c9a3592c6d6fca47b5cca7cefd85fb6d06550f4376ae618ddf741fcbab4e3808f6ff5fbb313f0bfa4409f4fe78e48e879c1107e6e0310cf918d3b8a2d76ce6461ed371ea1810ef475e9e26f0b996d7149e74c23802b86f9bc001f853e3ea6964b13f8310b87594726fdd3513315798de6080f4bd859b75c0df76cbe756189de0a0eac12a0b67b41cdbf7fd9f796c43af01a68f7617038e29557d9b2944b79ceec7897fdc8a755520190ed86e031d0ce7cc6622c18e73328b8dcddc12c242ceca02c1ede39fb4d0e0ea520335d0cbf1c91b506e5a87f321a5465f5236176db04551fba59c926b74f5df82c1fbf85c68dc2f5a132522256bd8e94c698243643709d697121585ccfe4a7541924c4ed81a66672fda6b88586cf0d78267097f58186a6da0ad89e058b993a3f068b3a0a4237efd7428f3471336aa9d6cdcc262a73a831679b1c634b5ae4508713e80affcca7490a517d6b90f6144fba867817c6fec98940e60fadba633f05fa3a5998f10879e0bef68c90dd108cdd4dad12994d1615c98e078a8d99efc9972855c95f97e8a06ee513dc0009511d3b33210782f193950d0c6d075a8af2cd6bb524f51812dccc34fef789ebf3c6d0d264a80d2232fac0db18a8472736adb9960d2b2a2a3ed22706ea8c76ea9ead1c543c6fd55eff6bc7c42380257fd74dae4d32ce618dc62d0e8c183bd9b1a3ada4dd8747b8e1a9cd22a619d0b95b21f09461f4d90d71a51249a3e973573f36b9fd8f7a5a821fc61bb5111c97ad4556481ae6c8f759a7183dcba85151f8ef74aa7e75096c43716c30a99341d31436dc3e8110cb06341adedfc342a9086e4952217c19395a25abde942208c2d805dfb9e720ceaadb3023c8af872f321a28c16f14b19d407be83e601425cbd94a13fa5179c2a53d5a989aa0629cc64cc27f71be446eec5622b6427cd1ff5bab17e58d4672234d656abcee9a1f1f8f6f73c0456291208572318ce7d4150f70f1fdcc439f9ef0bd8ebedbf0437e51bbd6c05fe0b5cb342775436f714fa1c4cbd8e97ae00e9bf50e64ed32f3d487d1dae92f6b10be98ff65bb7cfeee6b9758c024312b1e0e018f6722e51accb76aeae548a44326ad79e86a05d91937a1b8eb942436ea148e8782bdad2bf8c506ea81ba70c8d677e70fa9556f8be47c213bbf3c82e8753f8d68369e05c95739a4038826f3a5c9752246d53a604995335daa4fba3599f5a2991a8417d3aabc1d9151e8f07aa181fbb7659bfe014cce362cadec83f148a51eddb583f977ad903320b5fe2d2de4cea44f1850fefd6986251e22126e8d4f8f64d6437ef8c824afdef68fc53a6f7f381cee466ff509f484607c80a0254635c93771e6d96fbc24be099560f8cebe294ab2b7d62a0b099a3c8a659b13e3b57cf3ef85653380cb07cc9cf8ce064d29912aa47832a65a72b3b9699770b19bff9d6318b6b945c80d065bbde0ef4cf9d961333f78b81c98c058738ae41480bca3e2a9f07795fe1d6c692c573e8c4e7ff40dc4403c31dba1c246c5cceef56f04aca3c17419f130fe5c5733db853b253e0833cf486afcc32261b600f5f4f446ba654b886f5e3e6b344da5d018ce08e941de54fd6494eb2fe2045dd8f8d18c0aa820394f34ec9040000000f3b2747ecbb8236d1ca77b2df21bdce61a19980a2ca6d689b99f853e2cc8f052c19405852320f683adaa27c8fa041b0afaa710947ba0f791a210ae3a623871ba svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B67709DE = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000006a93b37a9094d7a3547d0605c3bf5974f967ae55b9cb3279e42b0caffe00845e000000000e8000000002000020000000791a84dfd6ee5cf367001e3a78498f29cf0a64778d3c5b341ed774564759c1578000000095b883efb9b3ee35c773136b15fae178ffc5bf8630337e93ac3bbc2ef63b9ebc27abc71d74668fb8c23109d4e3331d7b5074242a5474426d513c5def7820db3d125e181221f236e07e53254b4c37ee4772dffd7ba53a1009c749b374e2a8dd4508731385860d62eba9da6016a4bfacdba1a59ed6e6f727ce682c50d33b10f5bc400000002039e25187120835cfa91fd6dba5045a36f59dff7efae3891e1d4b3c2494d34f3e0fb7a10fe3c29639a05d7db677cf724dc25b45b0387c3ee8318c7d3f55ede0 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000007bb86a0980f703c7c4a9fb4871ca8cdb068e5213fecc1f84587803e483ec9042000000000e80000000020000200000002e82ba4170530b693165a444de2852d68c2b9bb1991c2b8fd73d34af65f5c9d1100d0000d45ec027e28ffd60749d8a949117569470cbeed84e567a35d6553674f0092891802ef38bbd408749c38fb739d111354ac8d821d417f924f3e35c2e029891ae01b6fe9f8530b6cc4e00737eb9e128a3197ea7bb26c759457d0d3522442e06fd04c293e9fbb3f814d9e0c01f50a8fc59266ca05398832b5eb23a4cc6284c792072f82a42c7732966e8d499744617aded3b1fa093bb473ec4c6cff01e54c6bb257dea95b8cec11188e2a05a95ec7eed3e3b7185380d9d0d2f170e404dec86b37648f41bbf0c8fe91f01424ac1b31dd395c9e4a14d70a856936335117cec04452f82545c306920ac75904a3e0bbcb64ff4c2e37c218e8bc78a9716447b07e19e701ccf0d8fc42f20e29ee7f307a1757e9486631cb54bf5fb9bbd03b9ddeed912ba96c7d26207a72eb5181e94719b02ba7250c869fc910145a8f12a1524d01762a00461f7a72280a5f99bc8834d3fff402d3ccba7d1769acaf45cbbc997c6e04bdab47d97419025c6846ff63b702f944451c893a86f93f40854014de85c1bdc50d67dfd7afd14551eeefff346ba8a486342fd7c727296b8ef6a5666f101e265090dd533fdceec8f6d11e7298a7ae7205ffca6d516b8a84c6e7cfbfe980017ed1bef418969c48eb023a4d03b44ea87a4960d75444677867ef74f8b9226ee7505df6fe5d1e4c1860a6174a3adb425fb9e9f2401a0827b68a17dfcda94e0734dbecb06fb01cbe1573ec7318bd368d361e6bc5c5e18028b10081f52c8a3e3b0259caa93324671c7356a30acaf891963de67fe4cf7bd3fd93e5105862c114ffa11427b853fbfe6e47cddbe56fd4564271d5b54261336d14a60155e711b9a74f7d012b66d309b9ed80f605e8a6b78ff2a5ad78bb655f654b8b17453c9a947ee51b077f7e6c867e7ec27e63336a13c62bd6afbc7cf7b0d55c56449184f2871aceba6e49c74cb471e93d0e4f94356b340fae2b7099cd99dec373100698821bb97a5184eca19d9d0ac7844326ed718889e7ec7d72983b7f9ea9af8e19db689933c0a26d520a491e9d33c9ee223a67a3d440395ac5ccb2743bee564ccb6f76a5b6777f0f62dc64268b0f1ffa6d2415a48c46d0c2caff55bdae85d6aec50449e4d511975d36d21f0fa30f5af5d288909f9694a15d4815880ff7a7dfa2aa01ab5e943fe82215c141bc4e014820249b0204a368dfdc0d6ee5ca3de740c1795c938e4dd2525b00b55d944af6139abe2e4f6ab7872a358c6d6d88c336dd1480e13f655cfb11d4eab7844182bcc03a8cfc99399a4c7054fa9a8eb50e4745af46ceab0fd5b869457691d0f5552ae56906850db2e6e836ddfe4fa9cedc14fb70de79607df8c8de82c0cba0682ab10d0f7972f7f726fa03b46453396571f2f6b49a439591578a65998e58931d3a795112fb922bafe68075a927fc41b0d9d2e2c6d6c320a9d5eefaf3a102664e3e1c104d0e044c837080f301203324918deac731d58e2892ec3dd09336a9f74e0dd5a51cd55e5453bacc52da20e62fa10adba6e286a5bb7d84c504779d36d58a469e127ce455bc4659de8dde2966ac69df3ce2654b1602300f01771f26e303822292aeee964db4956d1ff6af987cb14ab8ff40f67e7f1a0eef77ab1e7a9673e59e521225dbb633d67525bdf21aa5fde7b420a27b2cfde1f75d1fc74ae2f88d147223aa0c155dc3f0f1a9779cd713cde3c41779d1d1fcf73aaa0bce7fb7d2fd3976302903952258f4a5a508798dd01ac79cc237581a9ffbada9d4c93fcafd1f910f5d2021beee6e713e1f58848d2eaf762c21892788e13a42b3f88b4757dded4b290643d6135ed70d24168b02d04609dbd5d7789720a49c35893192cf15cd92e2122e46cc76aaad5fe1ba1aee98b6bad85e6489d47bc5c10ade4b4285d232d94a60817565198de47b3ec2461f2794ead3418799c37a044d681b91c15f84ec4f4f43863bff4758d46517623ac8bca8f046326131c1d03f4cb7b38ab77598d2ed90e37dcd28bf68cfd098e56fffa179c6dd4f019b68304806a1044aa987b26ef7d3f3d0b478aa2c4a0b8695b5522e1840372e13b820b82f78995f7c96dc7336fd6a7c6ad5547e631ac93d55804cc8abcbf339cff5b52d9c9aa74b0fde3bacf5cb07b4620d23de4b7d5aeee0d685752894dbfb9fed2ddf0e8ab7e57506f408e5daecc18d7512bf4b45f51dc7be9f772452fe8815aafbc2c1ca217ecd1c00feaeae479d4238d8b63e1037ba8f66ac89c25f0cc545d1c096ec9ba18f32f0960623e7b2920dbc6af8ba1bb210b57e83c18a164bedb6d9445cde078aaa2ffc8849517e454e506fd80a1cad1d4909ab5c94850adfa3f4d49ef73fc2655a5823e70724506ca550ac85f3f4d73b7ee9a33a526a802db3c2be71fcd9a3191a393bc561b19cc29df2258eb8bbcf00744a626f40eb7b6bcb41778c46bd4f61e717a34dbd270ba56b8871fe15921d66ae1b58d237f5a824b62110b3f0dace9dfb8f891e8ccd97c5660d2a1f35d2cbc022ef92664673799ff982e882131e917a621be54e46135a7df2f80b929844193813fc024a7ef14fdffd0fda90358035ca4e4c0f99f45ed04171fd7e700a039fa47d41ccaa487ddc98718640c18b76f4b8a6873ea1e5b974048baf8ad16a0b3a415658893fffa9a41e2d295b41dd81988b3d3079d42bcd6acdce75e36e0a59305e0bdc6a556881a4e2b1bab1de1ab396cb8e213ea8e096d7a921c0ae0577c9345e183e1bcf2e6dc9f2ebd96208c33f934b010929089c4ea63d24a95200f55ae635c0e468375ad3a9afb5febc1a2be8b7da2f94b5ff4f3ccdfd5f9164e315c0bcb21d74842e5f992ec9898bb07bea988517a55517ac615636a92984f1ca30c9e6a24df18d4298f1b6f30bc7330aa0d74becbc49f2dfccacdf1646943b3f121d4e5d544c5b7c76bf8b400051d537cf8bbb2402fbdbbcc38273c556ff86e6f10995079a41a4f0fbbe091659b8e499d8f34793863cbad0743d8b4fa8499187996cec0bafa1e1160123034480ba36d437a1f9488b3e6e437356f7e8dbd4e34401c32538edb7c32c5b87f3f66cd71c642ff43e5c0b34847ea1950f4eff07436073f5bead1780a9cd454e1cdc6fe06403daade8fa615b31a48711125a1940a857280b7d82fad09a8f1100bae7a95da35d4b1c721d046c02bd84f6cc42823cea57a6ea50325e43e3931e258e08048a6b331557b24f523476a7191fcf9b54a3727489e4deafd9c847bbb322133f73ed5f44e20232921eb05fe052b789b56b0343c37e08259fd8e95027187674847b7f4de44bc4f0a80c5a7f273b05056f795ddb6e6f1432c808bd2a12cffbe71350ca7633fb969a1380a2c0742500ec77999c4dfbd25da963bc814a526d49508c93281f68d3ecf1fa16808658392c771ccf7bacd6892045094e14257bca2594307e8c34c9c1c8d41d14af4824e90fe6b462949e3b3781146e0dae55b1f456eaa72fad81b7469ed51c51558903c7101cdad87f7c1c8e5714f8f5ff95f4a3c7d4b41418b98e668bc74f119442f1ee80e76ec3b99df776ce4c8c7772f66c039267c5594e7d98a813f31ab23ee0762aef5cecd59321dd309acae2be8061259cf436e326ce089b107bcce1e6698f5fd506d014cd4fa647d89803f9e7adb14bd4601dcfbdd9d53612e50677139849f729b8f00a15bea63c5ed8b2cc0c81ad5932be99f092cbf39b979d4428a7ecc309defc467eeb3bce73cd6c35b3c898c9962df170649dbbe013d94af05d0045618342a8b9ce50a5a6670a8de6cf4375b6ad2f01b947e016e29122f2530299ef744418c3bb26efe140dd9863c08b31c4fd780ce888d5fbf039bd9127d72794d52bf06b24fac844a7eaea8a3e383614f76caefebcb9e06e8348a52cbd21cb9cbd29a3dea2fcfebc7de1c197d60c12e1d4918e4f4c6e1d3e9fa5e5961b8be069ccb27fbb04f136e2452e85e8a05aca7ca0b913b2d78d87dd8190c3062f64b781eeec498f4f480e2dd3614b1182f00b98fb54fca7cf4503cd89471aded53ad2c2180541f8ec93203e6a22f46c28d3da0b1ea7db0d91aaadc312151509bd1448dc109f8c6e753086058e623bf434e5f1dc9c731427a7ed06f1185dcd98b82ffb71cae75be694b1edcc6bfec1bd37e9222371207c7090486494a1fc2137186bd2e4221445cecce9b1420451f7e760fe1d9fe59382e8ef55a59bfd3c3b86a5d9a587909325b8965888dba7598732f734ae8b1d52c3ed0a54468c167a54b808d3032438ed4144c79eacc21b9c511c114d4613664f9f8301e07088b8b88b38737fcd07ac754743c878c19538a582ce40d51a9eade93cd9da0f427b3b0f88da46f2e2e9659d23c39acdc8c2f0ec715da898b368c5d1c27f1cb81cc492001616f7ec871fb8c0f0695df74bd9934bc1c3f3c8fd9d3deb6879f2c12b08cf0b04c550c5774898e0a8e36df4e2d8262d754efc4cb88106abdd4e625f506fb49b67cacf3efe1a416c294d36a9594d3fc92ea485f27d671843837d610df891583d80fede93ba3914b0c10f71a4673af8fb6eceefc1db1449b592e400469c9f7ebb807587da0a83a49f16197524a7df22c5ebdda3989d30d7b9f87fb02ada95b0529d3b3ee99dc568d56a7fd132ae1b303f5c6c074db5ebee10853359afeb4b42eedae803921f919172d72f61d498f449a47970d784fecf1a6471355fe906d973b95a7a3ed760ac232dd60d112176fcc07ff7f149ee2864683426c0ba12b40000000276d278123b66e14925f8a1e1bfa9bfa1bce00328f29266e970a959d1ef2872a5bb91435057750bfc4e093b66c65648b8d7d7ea599b813542816af9c43cb65ed svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B67709DE = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000b26ce8521d3a0c03d4202c917e60b661a4aaed850ad94d771a1dec3c47cbc3b6000000000e80000000020000200000004f0d6a10af3c471bb7d6dc0efbe4d8e744d0d96fd9bcc6e6fc2ad2e91360961b8000000088a0cab5f861f37d8988c53c0d0fffb8f9c582cd23df9c6b963a078ff530a97207f3447f31aa11e81fafc03bcde53eac21f96a5cca6bf938e13d2979ddb894c93103bd1b2709a70c54ecaa2e4b49499f40923c81f3356c13b1639415fa4c6233d90102d149698cce606433b0ad9b81321b4ee46b683bff7b4354ff12e7c5e98940000000a0f8e999b08933952edd9f6fd582655368d7b159986b03597bf9b107baace5522364edd31eed3202a24a542c1a247ab0ccbccc5ebbb13b71c7e8d0017965f947 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000a9ee4f307cc70bf343b6421279d518647fa6def1f32a8170f55b70a906bf6c73000000000e800000000200002000000088373ae8300c9d6b04321ed4121565eb94bd2177582bd111ee9b92095acab9fd200d00004326c324adc9594bf1c48d4979c7fa5a3048400ab85697fa7912a69392036d63bbb5fed2527191f45de4ca2a6fd5fb16fee8b020a5f99de34e420e6c0b2adbe3b1de3e6702f8c4ec5c0971de311ecaf33b729f3eba839db1cd373ee753e49463b35dce6eb584de85c606f7bf9341310e0ceec9f718ff29a6f346663e1ee2973df1a3c79cf9fc9bda85d5ad92dd8c4c6232d826c11367fa088154ac2b668a7c5dfa0ff8c2f3aae8f83569c1fc074a7a2b414c656a7bfc76fa7dd8e9a3c73e12702c3583ffdd19b0247a74f309a138d35463dd2f6d6814c1d790ed5cc522cc75c3e4a8feffea227a66757d3b7517d815e5723206a24c53cdf8fbab2e6afc6cfadd0ea5bf1dd6e51ce0567bc0a0307b43f63101b2244621c12648f6553069841c501e126be5b4b1e2339a714be5ebac40ea3066ef52e3ede084efa1b9bcb7af0490faf65fa214b0453fb8247db4360808e4d5751307be2d31509188b89f2a5369d2ab2d999a73f446d5a92e776f87d29f8d6a7858f29917afe95c99ebb382a08d9346760a7fe2ebb3337a187c2a2942c81832604509f41071422f9c127a2477567d359fc795f945bf0d9a49601a888fd2c4ce53f3090af1c7a49045f9d353f8455076c4d124ebe24d2a3c8cf2fc0bc5baef758654c5d408f946be1e0e6696613c98100606b5d3d26c9912e5731f7cb0d9401eec475f70c1807aafc07fd55690fa43aa60290a008f09f49f5ee17c7784030931c52171c55c062b4ee642f5f69283daf7182f3f82ca0b35e9d554b5416fdcb7bdd1f43d460d029ff1e1cf9a3904c2f4f97769bca47ed4ba62e9541c3c0b067e72bec6a1630af60ff50b306349b5704924d78f2a6afd9f875e7f352b1652c22a9e658bd404a30c21792703213ae5c98610ab37b7f5831ec7b0855febe69e4cdd09e59c5e4f5677a83b07e59f029f9e033b748006d31367a0bcda0d9da7484be12fb4b285eb540f033f7fcd38a72f64bfc9071a22f06baee6e89e997d771d13cb69dbcfaf6987f40950629bca1f3eb009ddbe63a2709912024984bea7a394dc36bd7bdd0fb6d2f92ced706339eb394c7f28b80d9ea8eb3fa8f388cec039cc8748c367ac26e16f133db8eff2137943723e746bda294ac136d29f2a112d81bdbf40a8e2afb6ec05f2ba3a24864d4504c5913a7859e8bb6e4f15907e6d4f3fbb27175762f12f645688d12e88e151d0b9cc03e36f7d582e8117fa915bf222e5815b0ffc4b457ebc4b713f85bd5d61dee0915f1185497196a563281600f3f03bc31d4b7af71f728a52ce7f414f87a453e87ac44b93b8064ebd87727f45ccc150fcbf0ccd9ff29a80ea1dc449e902c9d45cb63fe2ca5cbdb1968a90c6d8c09c8827e23a40a97a0f9da88676b327a52712e072855832115183226868a552c958175995e95e7d4bb648ba620b014ac427fac6ce6cbc6e9266d81770b429bc9cc1c5683407c200d222df59db6e47ed6921095c2276d79aca6b755108b3c5edbcbd668f28bb05c9846675264d754ddea27cf91301773157b8b82a73cc3e6d14c333b59703528c2e837a8b2431854a7373a929bfd6bd82d0231487e01bd72a6cf68374b19a9137554c86b81b72890865d35e30c3b6e6e5fcffe7956653b3ffd33560607c33988ab8bc5142617a3344dbbb50ad3fb0c2222ed10c4f7948b168f2ceb42f650df253a8e52d02637af724f78535631c8262028ceeee2dc617bd15621a08eba004a74e8997a3c78a217c755c3bc3dffd420ba52aee1e6987bfb8088255d263cef81940651539a29666287dba66e31a2a77a7fab34d3662461f861b7b0f61c48354e7c6da7e437cb92f1ef2f4575760f6542158715bf78a8cb216a511e8908d5f5827a4900601604dcad9e83d31bd70279b52fcdc2efb0b563bf21bb54dc6bbfcfcc12571e6a901cc05e6a2a6293a35a18305636508082385b22838f990dd46bc1c65a992efe72c0857dd7e3873ca2421613ca8de131009552ec5e3abd114dccdb6102a6fc81f35f3255c9e018a90061d4ce79807b795062fe7569252b7f4d7d11743709809f35f193aa7514c282c75fe47697058827422e7e796e6bc2633bce87cbe68d67c106e5470f4d6cbf3c8e1ba0375b3f6c38a4637e74acf54389ac2c0b32b5c8fab59ee5b127a15c2bb6d4be1ed81aed9f1f931b1bca5088dab081ae0379004eaa008b4ce9a8607e9bdb2d09fb82a9c4e5a5c3750b76e7a95640dbd35ac3a86d16c774fc119b0d5cc221ad6880f258de16fb5d4ff3621698578f4fb5305f30a40442018d866137803aefa5b175b196e9932c30031e6ded9b9d6ece91de3e02c3c837f38e788c16f1565a64c8cbcfdb11a9d97aecf984adc9440f2cad2a45ee8d398dc0e807c8f8ea160ecdba8807e7ae335aa726677cdc066c9c79f907b6729fea10cbae3b35707deb683f38f94fe1731341ea549670e99148e23d480e2f619ced44d8c7255317e00626bd28eb1b4316e58cd24b60fad7d8586c589b953bab787697b1eb4100c730e68b051e87af7da666c7b8e82764e2a5b822957fedc98b54d9ceca858211f98e6129b8288290099feac68e0f8c33c6be959a70be038a2cbf9688f3994a4fda159ca8da537c0b1f4995f50057708be61ece83ace226b423ccaf731b4fae40012e33f1cb20d86d6ad07a16455f93f3fcac05ca72a949a763ba6e0a2a03ef70b784597cc34284f7b97d4849e11d4ed4a68bc1ee1efe0a566af6085ce9921639c27209e38f5ea7a6bb94583894abd89c78117b7d452eec6fd8ca1db8b6e49887c7f70ebd6b385c806be3ebbc387e56bda3b8257f66bc4b93cb01fd8d3218349997a917c1867a71506fba954e3dfba96b6213906c35cdc8bc5953862f83c254e241b3bae5aec48293b84c37b77946a134b06232af15e1fc056612f7e9d70283c0749861d2f450b00b246ad30cc75e30d37f419049c0e4f2b9b3d91728d18bfe0db362bbe8328cb214fd6e22ca07bd27343c1db66435e8b4bc0bf95db3035639d726d0b2d02a6f28434cda6917e78493c786c87707ca4349dfed79074a9922d127fe745febfd6cee24ae7344b9f2d3d581833829df8c59671a144c3ed5cf9b2669be5b537a07245a6370904af5b9203f6c1546ffa1e2c096cb2db9ce747022b4227c80068096c0a6c70fbcc52f2cdb491df36a475669d54d7d7f690d9b1ce4ec1cc6148908da0be94b97e920caa67e7fce63d7ec5efe6ca2a93ff42c39ec5a97e490a0aa50d4de3be8b0d786e4216f20826241306af7b523fe5c3c15a0f0ee35f057f8a229076937fb65aeb4ddd8ba4e9440823163be4b2aa28b87faae002c03677354efb7437cf6c7746bb7379081e8fce114faaa6fd8d659cf12fafac9f9b9565faf7083e0d6f316c3af0b5a0c121f366d2c050abcf7a6094932cb2539fadaf818da6f78c5ed06bbf5d1475838c06ca12d10de1044617190512966c96375781b4f27eb448f408ebfd1054633a0bae6b1ad6eb4dd5ab4eba55dc69a3501eefb77af8b8e421a09511dd3bf06567c8744843cb6b32f56443cf140afef1e2225eb21de7438169cac64c771a42395cf2dd47632776f2a033c9923e34d9c9ecd5399bf33939860cac078e7fe43f3ffa06369451ecd98c2935fb2efb48463b3e2faa68dada0cb891414f2bee0a92472d109419619ce63df90de039bac688ad662057e793e047464a05616209ddb94c614a9f75955b4f8d39fd97db4a9e7a994818dae8d78571e5c6922e41445b76e00c05789cee6ca67dada850674071c66f9e86ddb5bd719eb79e6469c33f25b0adc2eef961449e7ef8f57e459d3344a42dc1e9cd4bcb9ec0f3fdcf24d0c2ff6a5f38f3be3ecc653d1e1f36fc270dd785a66f7fa786b980da5e65cc78617c38ad99c4aa6bdcf61d40c0fbaf3c8c553a376efd0658770f5d9c7e9ad0aafde300668861e6877bbdc15a391284058fc2ccef2c719069e5ba4cb75886596d299e4fc6813ad802ba67166e4a18f916e035ae3e5596d2bf3ac3e11e4221468f545b0056de78921446f8e1b88045f9d1c0052cf756cc7ccfd2e850075152d07e86bc813c6550873d5c88d47eaecc16315b827ae2738ccf442fe5db4ddb2943146aca8395fc1fe6504ad226978b21c40b5594b11e4d9bef229728a4841e9b713369ae45a86b39ee3afaf1486d5086135df20b4a8a10286e684ac399c11b71470fb10224fb5ddd50f1341bd69747d6f8afc5e22e723a4dd892b15b12a9da69e569fb30a8f542743fab3791a32dd1f9f9d9c9618e07a38a01aaeceff68f5dab633bc03b4c3c800f34e5eb74a2fb043c41b456a363c0762a6f05ce0793ae3b2c71c03157c8b6f590af952204278b5054ae1b5386d9ccb65cccc7a410d950e35890ea9fd577fe2ea9bd3cb19663a081de505095717c0d34ddabd87fc88da3c57705ead931b54f3a1f442b0b2f0edc575a9d9d0cf1ce0a9b989157e39435e046f80567f8e2ff9e69a415ab449f4d2a44a94a16d1f10ab113c36bfbc5a052faa4396f82c1bbab0cb14e513b26b45ed1825a708752c0fd1809203363c95ce40e916f3cfacf580af33ca9d04b6f01cd9379da2527b580e0caf454ab822dd26465a9411ec31da114012c9a1a4078fc4a37eb3b5e8953be9c046a15032f3d7cafe08fb8d753b3c0600afcab7780c552cb70352522241e7d8733cd2296df04705354322f56ff73bf3b6188837deb837e5a396b8811fd5848b16158e5693489b630593f8ccd058c3740000000cd2d52117b400006de7bd9b604beb947286989af383b28fabccae04d85343c2e83b3c89100b3bbb60e3e149845a0f962ffc508ffa9f8b43719d00999400af030 svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "00188006B67709DE" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B67709DE = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000dd1b0728d231ab00eae7dbf33c0e52462752cc94f97ff3c6785580877e92e339000000000e80000000020000200000001f0b20806e84845db602d9b1d5f092ef3b8144930868651f3161d7edf7c182d78000000091cc16ee4a5c76b5e85609a906d96b17e28439ce9aac2c12e88862a7973c10be7a4b34fbe536be2cf67fe1b40a557fb722a902d1d1840adab124f6e1013c36e5f34dab6814adbe7884a6553757d72efe5f17ba16868e0ddbd37347b2692224f3666b7f390f6f27c397fe2644600cbb8886e292cd1e806e06410d5245c5a0f2bc40000000af815c704fd132bf5098839c4bcb03251dff42a07096137e418e3a089b2c98fa20e17dc8cf214e40b86f9bdb4fdb1d16e65ab51a93623952982dd009fe5b5dfc svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B67709DE = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000020ef9cc1e58475ae6b0447f0880f6299147e48e1e529ecf3c5bd245174554d77000000000e800000000200002000000058124f10039aa43a76d6bfa26adfa7ff3029145237bc1c3fec7046e034e3e2ef80000000b8f6eebf5a96ee090ce545f70ce1247029d6d3315d7883a56b1c0b223a560f02ecf339e83626364b4f1af6467b1ffd5aaaa1241cb486ab80728afa55377b54fd9ddbdd1e6f0628d9e9e069f0c88bfbba2e8c06027bc0dea60751e3a8707235d4245fe14a2e33241788f6b177230fb0e5777e017ab7d222c98b3dc0c186b5733e4000000000089a433ddecd7af91e12149b2d5a101fc932ce80142d90a1d4c4c8b0472ee03275339da1b1a30e23fdb90172ad9e5bec504c85d61dc27fc7f18fb099971c6a svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000c46f03046379bf80c4f2eed4f12934bd0f822ba27dd00e55b71d7f727c880405000000000e800000000200002000000092d32524e4343fe3fd47fa9bef2981a7caef19f5654d2b30a9ec6232bc124e2c100d0000a341f158ea3f00669bb1c6cd2410f88c3330b2364bfe8fbce95bf08343ed793da1a72a1112e97bfbd1491253ad09dc3b225f025d24d522425a8ad6b572237f61cf0a155e9f665434effc392ca42edae408ecb3a1480405e96e2f863aadd022f76ccc39eadff2f59b89db9e3556037c5a3bdbd6a5c16d7da66ca519ccb98e423907240b2de746c0d4b1517472b085f00fd8e91203a45f5a7a2441fb1ef69cd2f8b93a5d20e8d0d07ea6265503cdccb639d63fa154843dab52d02205b185de6f5f293a6b540cad9aab060843176449908c97bb446dffd80f80e034d65e4baf6a420308a75bc79b2e05cc9d71d2b21c041eeb2ec00a2c63164b4f99faa14a48aa0f7674d7857622069c38426863fe523f99520bb428174773e680aaa29c7c8cd4627a1ca903e67c68a54ac7c8141b29bf0b26914e1b03a42491aa65cdfb8fadcde32e95b867533e09f10cb3cb3054ca1f45cf1041a88122a26b7b980ae5da1848b8cbe22fc0a74c128fc9448a29b204aa053083eba63892d8ba535b46b7c4e5827bf54f621b38d0dc29e9c5ae828ff330f454f7abf680e7ce63ccb87653016304a618d972792cf93abdd67a04dd5153f0b855527fac8ee45b35101812b6cb21d70fd28f9b0fa5f755955503381abfe4b25efa0de07ff5fe85bcb4e37cd334b3ed68abcd3f8633cbfa655cb2cc4ceee43c05adefb4e3d4d5403b841960e3b9bb02acb3b28342d8b1cc5659878167d8afc371e90709192ced5572a3805d271faadf75412be31831f43d804e13e6dcfb3028d04619f9f203addb310c85fad2036aa7bcf5a0e37c9d245f691d1c8ab9ad9b77b48c6d9fee6f6609727acd1a58353abb5bf1468123a712673b06f14933e6a69da95a886a5502d2a38b1f4bb07b8b66b4ea9abb430070aa2c5eecf0579c65950ae0a4e7f9103375da7ebde6c434788ae171c8e7ace8154c4daac13da4e0e674be15bc8542d0665199d7670a8a12ff59c58644b633445d5dadbb4bf63e7e3ee08f645bea5ea4efafadd13e21d5a21e393ddfea0cc80112e2f34930ce0f68b41272c7fc3bf31ad177b3c80a53a410c572942bf8fd587ce76bb4b9987232c380fe31771722aae1dd3f2a2ee840df1003bf36efa670c7cddc689f798e3802f4fa55458cfed9fe0b369e9ee25539a729a4e02e4dfe72e7ba24c38b1a7d060d2ec8e74b77025a8ff7cb0ea9d66b03fea2eb084c72f4deed73cc26696408d654876967889c5247b7c7e9befb5671a9abc450aee6ebfc05eae1e2233a4394199380881c8ad297dadc4bd4087cbd1c5b7b31888c1b518f71db1ecac3b5e561b665c4be295269c36c1f2835665cdfa2798cacb507fd65e04dd162cc5cd114451313e85f8455e1a1cf353a2beb9469cffd37a724860dd881091ca709b29888d02876687298daf4d034bbef76890555a848b9a0a04de26927e4861b1f247362071507e5cb68144225be065c6e65b746f31ba0219b2bf5b6e75ed71f091f55e52caf449823b2b53e174dec3a79c59158d8f88162e20b9c9885e36a1dc406873ba694659793712d2c89046d667140f243b591d618e5f5b6e29d990209a8baa2a509e279a4db5b03433750d794a9eb41e1c5229c7e09964443962a38847c9c6ae64fbd9d93a8f6b81336ee40e5e6ad272ce514818c1478c384271faed32f55e189c7448757271720f6cb7b50895d1ab50a66b1e5fdfc7176e381ca1b85af9cf67b7960705d3fbc9fb6957b1227672ec796214711ad1781e510365d2e3329032d416c9acd3002fd75cfe4613b63698815edc6885699412b072fb73cd706d7ef94c2062b28e311b8858b82e0afa8774e98c3928df9efb80e114914a8ed9487d420edf225176aa58b4a53f032c106a9a518a0d185be82d4c6f85fcbaa1cf3b3d09e57b368ccf8d370bc6fb4c77f491d7d7094905486aff250a3a891917b7189bf05007f5650b77178e8bb8db27a0d54857ad9e0675a28714274cb9bbc6e17aaea6ec3bc3f9e6b272a0460e5c978df8425c96f65a7d80fdfd54994afc56d4e36706a17a2df568d50fa37d4aae7e69f1fbe5b35fb89e3aace88ddfd6160c6270121872d21e31f3be227fb18b993162468c9ce8d9ddf2af5e3c2e954e6ff97f3387175d6da98da956dedd0628ff8bed9b4fecdb489a437cf817cee92dd5c619c9e699839dfc271c1ed238baaa2436663be4252831201e35525cf643737865962dee93325958021a15db41670c70535f293576cfb4286d220a6f175076ac3f3d708b65a65e918d517076408640a87df1f17b227a640cc81831d8e5a4424a878ca918c79a0f5df7fe275707157c1208887bce173b4205b4c8cded7012464f66cac91112bb3dea6c8a3c7e91dbfb7065488d07559f1bed14cc4cc1837ac9b79f9f07528a00a9d88b9a4105d13f556eadd6bca3d932fd4acb194d16a5a04a18ee99b20f8c988ebd517f37f07d04aabb7641fdf64c99c53c2ff5093a24974bbd71ec87f9c25a9014ce5e9d36f16e4faa547d1145a72012f652a0e15aadb92355ea6453342632f12c6aec233625653ba64dd1264150a6371ad78836ab94c6dd187f69ae9ef1b2e587daffaa4ee0d8cf63ee614e99021bbd3eaa8f9018e77cf554489607029e3a51dcc3cdbc48c35398bb9427c41316901433b767fb23c47472c265f3c03fa7d21e703ba83bd95a504152c754547b47ddaf73899f0bb6912ccaa1e1ac0d3fdb6c27ae015d461ebd34f51a79a67f71da5f9fd4d6f7c0f1dc7371afba6a5472fbb1b2a61011888926748e66c5102c884a6e0066228ee93d0de0ce276cd55abecd791a0d51c708df1e5789c1f875369a5d1f82539d365c3de9bdd09aa0cfb9dc74549d598ef3f0445a8450e23a501dffdea529682a04a9584b0651dcfe865a6e8c72fed57fbe47a588de571574cd1a0ece1ea9363cf94b2bda9a2c4b93ce84dc6761e217b660041439cbfa8b3aa6921aec0c95a4d3bb3b28aa9a37aa044ddaa7a22ddc73db094eb3c60ae182ac790f5d8f1ccfdcdcae4b8e23e45ded7885525f9fa765b91ea904040a80838a76162b1c90d9bbbfc373bb334ccdf2b9cd6d52d1125bb03d806d761d733720a6433a986a216e7f9d25655763f934430bcdaba459c763b7d745f5285fb605234ceda5c6b641bce6be6694b6850144f1cfa9b35c5b0aa8d554965894f72878b8cc3c8dde7cf04ad1b498b81ac512e35fcad8615b4cac4ba0405e9b4106765fdcc5887bb278e0502bb95624e39304903ef55e9c3fa66a7dfcefb2f14e3cc9f7d1e3134893fdf4a4144bb62c5736b07817fef1e104574102a51df94e412ce533383f5bc31049cbb84efbe8cf7f3e3d10462fc6cf4c73d2928158b7b5ae03fb84ea58edb6cf262d71857c8c6b9f69117625367b86e9ba3f8b6f06c3fa6a1322229ea7d2bcee3bdfa3f055f756014dc837f2b3dd264bc7f4f9e317c767a62472b4967dd4ace94bce7025a8ace0482637dfd85fddee24127bafdcc078ad367d40d4bcdccfadfbb177285abf0179761cb7efb9eb42b965d844caf2a6f18550d9f3a0688adee85ee589ff8b31d13e69915ce4a6226d062ac19f28e5bf6df59fbf1dd03509bf99d0eb06a01dca45c990431a8161d05c3faa6909f1dcdc42dfd05e659b2cd99228313c5611d77c54f9d7d5f3d5f0ca6e68b76627f00f65b0dfbd6ea6de1d2e09d70587c02ad8fb3b4fa314ed6497444ba373cd4ecb9550e32f43349efb0df0ef2703c9f85078525bc6c4341bff5b4be9fc5173584a49cd28205e159a49e6901ea8be1b8eba8b7bfc828bacd91ed7bf002060d1e3dbee7cf0773b303ce3c242df9e3dfc79c987058ef9f43d646d65411b1da2f349e5d49017097aef5f13f5de54e77ae27297e0fcd922ddea65b975e2368fee5461c1c020c8b82ccacaa5b5e2162518ec4a372058ccc6983736948f0a95c0c932b6fdf44302e4fbff37d173ca3328eadc08d71512d939da2093163bd4bd2bbac5fa0da9d8f769faa4c707d1ffabb39fc5cecbdf304991758738a610364eb0fd6694fea2b8746d6fb1bb1379c62fe6e5ef700f680e182f0645ae7222df1fc895d8d1c65382003d29b32a92cef47cd5cfb7c42b6dd01683c3bcc387f5d933af9fcba1a4d1b305cb3e460cfeb25097ee23d7abce6996764123cce219b600604975cda2e935740a9441467abea94fb387a52ec9bdeabe3021f9b45e818872adee024c124725d4b9f680ebd93adb266f4b2684783905f761a43de4012bb78e0056b66280688271e86465d7a78a0c32ea6cedb10af4c2ff84c12decb953cf8e85f007c913ecf04efd83531e5529637af7cae12893c5bba4d94a7c09ff2b9d070245051cced9d0115eae7e83125b9e0de2f4372916f7da1dd4161b1a2736b2b617543c9659122e0579030be29adb8dd0f03e2d43ac3384598183cbf5c4503e9eb340aefe34ac08af5bca66c1f48816ff0436f306e5bd7044c1cf62f22c5965c36f8dab5eda3852315c30ede7c76dd44e185137e0bc6b297cdb8a54471b498a777b4209692893ca52d0a8b6a4a90b57d46406db75cd785b03f196b2de76fe0c9ec69d5b977bb5fb64ebba1a2a1a88e74b9657a5215c27283d86e6fab11d24bbc998b50f5cfac24020b5449e5dded6adaf1837c6a7f2a58e103eeb02b0e0f13626853e0a8572d307053163b371a0d2db325d9c307a129db7d71defb10351a8ae20347193a7e568e3ddf6f9d11b06a4f40000000b26b0d399dec10271291b702ee772bb9b3ac3a223f137603b6ca73c2e055b6892fe25242fadbbfa27b28c8bd4d878cbd51978019e3d85af87232d4c3306811e0 svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4068 rundll32.exe 4068 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 484 wrote to memory of 4068 484 rundll32.exe rundll32.exe PID 484 wrote to memory of 4068 484 rundll32.exe rundll32.exe PID 484 wrote to memory of 4068 484 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\quakbotsamples\29148f550d02cf98d89efb53f7137da28e91df43790f4fc052a0f405f99edcc1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\quakbotsamples\29148f550d02cf98d89efb53f7137da28e91df43790f4fc052a0f405f99edcc1.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵