Multi-License Discount Quote

Change Region

English
Threat Database Ransomware BlackMatter.A Ransomware

BlackMatter.A Ransomware

By CagedTech in Ransomware

Threat Scorecard

Popularity Rank: 10,769
Threat Level: 100 % (High)
Infected Computers: 294
First Seen: October 29, 2021
Last Seen: November 27, 2025
OS(es) Affected: Windows

Analysis Report

General information

Family Name: BlackMatter.A Ransomware
Signature status: No Signature

Known Samples

MD5: 02a81b80bbb6cbe475a8eee6f66cccf6
SHA1: a6fc098d92859f5be9a0b8122f991abb860a7737
SHA256: B4E8A7984E81721A0E208E3BEA4D266D6F67CDC0B48C6BDF183C57DE5C24767C
File Size: 148.48 KB, 148480 bytes
MD5: a64c42b5c23587aa96119bae7477bcb7
SHA1: 5312360d1e2146c35e24c660854d6bf7de785975
SHA256: 3ABC72383E986FE26F44F5D1F4EC12F52858402146864D21E6D5A8251BB6BAA1
File Size: 100.86 KB, 100864 bytes
MD5: ce6a5997aec1b1efea8442049be271be
SHA1: 5942edbca7eba4463817ef4e01566766f8b52934
SHA256: A7D9B82F347ACDDE5E325163366E467A8E84513757CF2FA00624594F5D78EB34
File Size: 109.57 KB, 109568 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have resources
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Traits

  • 2+ executable sections
  • dll
  • HighEntropy
  • No Version Info
  • x86

Block Information

Total Blocks: 279
Potentially Malicious Blocks: 220
Whitelisted Blocks: 42
Unknown Blocks: 17

Visual Map

x 0 0 0 x x x 0 x x x x x x x x x 0 0 0 0 0 0 0 0 ? x x x x x x x x x x 0 x x x x x x x x x x x x x x ? ? x x x x x x x x x x x x x x x x x x x x x x x x 0 x x x x x x x x x 0 0 x 0 x x x x ? ? x ? 0 x x x x x x x x 0 x 0 x x x ? x 0 x 1 x x x 1 x 1 x 0 x 0 x x x ? x x x ? 0 x x x x ? x x x x x x x x x x x x ? x x x x x x x x ? x x x x x x x x x x x 0 x x x x x x x x x x x x 0 0 x 0 x x x x x x x x x x x x x x x x 0 x x x x x x x x 0 x 0 x x x x ? 0 x x x x x x x x ? x x x x 0 x x x x x x 0 x x x x x x x x 0 ? ? x x x x x ? 0 x x x x x x 0 0 x x x x 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • BlackMatter.A
  • BlackMatter.B
  • BlackMatter.D
  • BlackMatter.F

Files Modified

File Attributes
Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
Generic Write,Read Attributes,Delete,LEFT 262144
Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
\device\namedpipe\{649f4e29-16cb-dd42-8922-9fff0592856b} Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\$recycle.bin\s-1-5-18\aaaaaaaaaaa Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\bbbbbbbbbbb Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\ccccccccccc Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\ddddddddddd Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\desktop.ini Generic Write,Read Attributes
c:\$recycle.bin\s-1-5-18\eeeeeeeeeee Synchronize,Write Data
Show More
c:\$recycle.bin\s-1-5-18\fffffffffff Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\ggggggggggg Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\hhhhhhhhhhh Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\iiiiiiiiiii Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\jjjjjjjjjjj Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\kkkkkkkkkkk Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\lllllllllll Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\mmmmmmmmmmm Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\nnnnnnnnnnn Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\ooooooooooo Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\ppppppppppp Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\qqqqqqqqqqq Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\rrrrrrrrrrr Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\sssssssssss Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\ttttttttttt Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\uuuuuuuuuuu Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\vvvvvvvvvvv Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\wwwwwwwwwww Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\xxxxxxxxxxx Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\yyyyyyyyyyy Synchronize,Write Data
c:\$recycle.bin\s-1-5-18\zzzzzzzzzzz Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\$i04oq7f.log Generic Write,Read Attributes
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\$i05wfli.log Generic Write,Read Attributes
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\aaaaaaaaaaaa Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\bbbbbbbbbbbb Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\cccccccccccc Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\dddddddddddd Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\eeeeeeeeeeee Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\ffffffffffff Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\gggggggggggg Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\hhhhhhhhhhhh Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\iiiiiiiiiiii Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\jjjjjjjjjjjj Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\kkkkkkkkkkkk Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\llllllllllll Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\mmmmmmmmmmmm Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\nnnnnnnnnnnn Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\oooooooooooo Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\pppppppppppp Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\qqqqqqqqqqqq Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\rrrrrrrrrrrr Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\ssssssssssss Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\tttttttttttt Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\uuuuuuuuuuuu Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\vvvvvvvvvvvv Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\wwwwwwwwwwww Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\xxxxxxxxxxxx Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\yyyyyyyyyyyy Synchronize,Write Data
c:\$recycle.bin\s-1-5-21-3119368278-1123331430-659265220-1001\zzzzzzzzzzzz Synchronize,Write Data
c:\$winreagent\jbfux64xv.readme.txt Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\jbfux64xv.readme.txt Generic Write,Read Attributes
c:\programdata\628c.tmp Generic Write,Read Attributes
c:\programdata\jbfux64xv.ico Generic Write,Read Attributes
c:\programdata\kficlsimm.ico Generic Write,Read Attributes
c:\programdata\qnniwukt9.ico Generic Write,Read Attributes
c:\sandbox_local\jbfux64xv.readme.txt Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\jbfux64xv.readme.txt Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\startup_test\jbfux64xv.readme.txt Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\jbfux64xv.readme.txt Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\downloads\a6fc098d92859f5be9a0b8122f991abb860a7737_0000148480 Generic Write,Read Attributes
c:\users\user\downloads\a6fc098d92859f5be9a0b8122f991abb860a7737_0000148480 Synchronize,Write Attributes
c:\users\user\downloads\a6fc098d92859f5be9a0b8122f991abb860a7737_0000148480.jbfux64xv Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\a6fc098d92859f5be9a0b8122f991abb860a7737_0000148480.jbfux64xv Synchronize,Write Data
c:\users\user\downloads\jbfux64xv.readme.txt Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\jbfux64xv.readme.txt Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKLM\software\classes\.jbfux64xv:: JBFux64xV RegNtPreCreateKey
HKLM\software\classes\jbfux64xv\defaulticon:: C:\ProgramData\JBFux64xV.ico RegNtPreCreateKey
HKLM\software\classes\.kficlsimm:: KFIclsIMM RegNtPreCreateKey
HKLM\software\classes\kficlsimm\defaulticon:: C:\ProgramData\KFIclsIMM.ico RegNtPreCreateKey
HKLM\software\classes\.qnniwukt9:: QNNiwUKT9 RegNtPreCreateKey
HKLM\software\classes\qnniwukt9\defaulticon:: C:\ProgramData\QNNiwUKT9.ico RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\amsi/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\amsi/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows\currentversion\winevt\channels\directshowfiltergraph::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\directshowfiltergraph::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\directshowplugincontrol::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\directshowplugincontrol::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\els_hyphenation/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\els_hyphenation/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\endpointmapper::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\endpointmapper::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\firstuxperf-analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\firstuxperf-analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\forwardedevents::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\forwardedevents::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\ihm_debugchannel::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\ihm_debugchannel::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\installuxperformance-analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\installuxperformance-analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss-gpio/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss-gpio/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss-i2c/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss-i2c/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss2-gpio2/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss2-gpio2/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss2-gpio2/performance::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss2-gpio2/performance::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss2-i2c/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss2-i2c/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss2-i2c/performance::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\intel-ialpss2-i2c/performance::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\medafoundationvideoproc::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\medafoundationvideoproc::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\medafoundationvideoprocd3d::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\medafoundationvideoprocd3d::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationasyncwrapper::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationasyncwrapper::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationcontentprotection::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationcontentprotection::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationdeviceproxy::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationdeviceproxy::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationds::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationds::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationmediaengine::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationmediaengine::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationmp4::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationmp4::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationperformance::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationperformance::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationperformancecore::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationperformancecore::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationpipeline::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationpipeline::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationplatform::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationplatform::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationsrcprefetch::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mediafoundationsrcprefetch::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mf_mediafoundationdevicemft::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mf_mediafoundationdevicemft::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mf_mediafoundationdeviceproxy::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mf_mediafoundationdeviceproxy::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mf_mediafoundationframeserver::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\mf_mediafoundationframeserver::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-client-streamingux/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-client-streamingux/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-client/admin::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-client/admin::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-client/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-client/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-client/operational::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-client/operational::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-client/virtual applications::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-client/virtual applications::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-sharedperformance/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-appv-sharedperformance/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-license-flexible-platform/admin::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-license-flexible-platform/admin::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-license-flexible-platform/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-license-flexible-platform/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-license-flexible-platform/diagnostic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-license-flexible-platform/diagnostic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-licensing-platform/admin::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-licensing-platform/admin::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-licensing-platform/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-licensing-platform/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-licensing-platform/diagnostic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-client-licensing-platform/diagnostic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-ie-readingview/diagnostic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-ie-readingview/diagnostic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-ie/diagnostic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-ie/diagnostic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-ieframe/diagnostic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-ieframe/diagnostic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-jsdumpheap/diagnostic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-jsdumpheap/diagnostic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-onecore-setup/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-onecore-setup/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-perftrack-ieframe/diagnostic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-perftrack-ieframe/diagnostic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-perftrack-mshtml/diagnostic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-perftrack-mshtml/diagnostic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-admin/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-admin/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-agent driver/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-agent driver/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-agent driver/operational::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-agent driver/operational::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-app agent/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-app agent/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-app agent/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-app agent/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-app agent/operational::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-app agent/operational::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-ipc/operational::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-ipc/operational::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-sqm uploader/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-sqm uploader/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-sqm uploader/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-sqm uploader/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-sqm uploader/operational::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-user experience virtualization-sqm uploader/operational::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-aad/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-aad/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-aad/operational::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-aad/operational::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-actionqueue/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-actionqueue/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-adsi/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-adsi/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-all-user-install-agent/admin::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-all-user-install-agent/admin::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-alljoyn/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-alljoyn/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-alljoyn/operational::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-alljoyn/operational::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-apphost/admin::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-apphost/admin::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-apphost/applicationtracing::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-apphost/applicationtracing::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-apphost/diagnostic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-apphost/diagnostic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-apphost/internal::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-apphost/internal::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-appid/operational::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-appid/operational::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applicabilityengine/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applicabilityengine/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applicabilityengine/operational::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applicabilityengine/operational::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application server-applications/admin::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application server-applications/admin::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application server-applications/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application server-applications/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application server-applications/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application server-applications/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application server-applications/operational::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application server-applications/operational::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/compatibility-infrastructure-debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/compatibility-infrastructure-debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-compatibility-assistant::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-compatibility-assistant::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-compatibility-assistant/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-compatibility-assistant/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-compatibility-assistant/trace::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-compatibility-assistant/trace::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-compatibility-troubleshooter::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-compatibility-troubleshooter::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-inventory::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-inventory::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-telemetry::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/program-telemetry::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/steps-recorder::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-application-experience/steps-recorder::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applicationresourcemanagementsystem/diagnostic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applicationresourcemanagementsystem/diagnostic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applicationresourcemanagementsystem/operational::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applicationresourcemanagementsystem/operational::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applocker/exe and dll::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applocker/exe and dll::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applocker/msi and script::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applocker/msi and script::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applocker/packaged app-deployment::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applocker/packaged app-deployment::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applocker/packaged app-execution::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-applocker/packaged app-execution::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-appmodel-runtime/admin::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-appmodel-runtime/admin::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-appmodel-runtime/analytic::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-appmodel-runtime/analytic::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-appmodel-runtime/debug::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-appmodel-runtime/debug::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-appmodel-runtime/diagnostics::enabled RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-appmodel-runtime/diagnostics::channelaccess O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) RegNtPreCreateKey

2190 additional registry modifications are not displayed above.

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtQueryAttributesFile
Show More
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWriteFile
Process Shell Execute
  • CreateProcess
Anti Debug
  • NtQuerySystemInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5312360d1e2146c35e24c660854d6bf7de785975_0000100864.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5942edbca7eba4463817ef4e01566766f8b52934_0000109568.,LiQMAxHB

Trending

Most Viewed

Loading...