discordrat | hxxps://github[.]com/adi33333333334/panda/raw/main/Client-built[.]exe

Analysis

max time kernel
114s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 12:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/adi33333333334/panda/raw/main/Client-built.exe

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIzOTE4NzgzMTUxNjE3MjM4OA.GYLFDQ.huQJASMCLjqluR9WrTcqri5t-vNOB6HHEry5Kw
server_id
1237879900740915321

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5484 created 616	5484	Client-built.exe	5
PID 5484 created 616	5484	Client-built.exe	5

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5484	Client-built.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 25 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com
55	discord.com
68	raw.githubusercontent.com
105	discord.com
108	discord.com
60	discord.com
88	discord.com
100	discord.com
103	discord.com
56	discord.com
63	discord.com
64	discord.com
70	discord.com
86	discord.com
87	discord.com
109	discord.com
65	discord.com
66	discord.com
67	raw.githubusercontent.com
85	discord.com
89	discord.com
104	discord.com
102	raw.githubusercontent.com
73	discord.com

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77Client-built.exe	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5484 set thread context of 3412	5484	Client-built.exe	123
PID 5484 set thread context of 5908	5484	Client-built.exe	124

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5192	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715516588"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 12 May 2024 12:23:09 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={A9F4205E-2669-43FF-92EF-514682CB9111}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f031246a-cf68-48a9-9 = "\\\\?\\Volume{B97F693D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\48bc7b06ea8322cd6af81d6a4508f3373b9b8b813bc998d6a224ceabe13c9f9a"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f031246a-cf68-48a9-9 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000de96242c67a4da01de96242c67a4da01de96242c67a4da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ac58ea622000343862633762303665613833323263643661663831643661343530386633333733623962386238313362633939386436613232346365616265313363396639610000b20009000400efbeac58ea62ac58ea622e0000000000000000000000000000000000000000000000000022159800340038006200630037006200300036006500610038003300320032006300640036006100660038003100640036006100340035003000380066003300330037003300620039006200380062003800310033006200630039003900380064003600610032003200340063006500610062006500310033006300390066003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000c7e721651000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34386263376230366561383332326364366166383164366134353038663333373362396238623831336263393938643661323234636561626531336339663961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007370646f68666d6100000000000000004293e9dc930fc248b62aebe192c1129be13f3dadd203ef11b8656ae20d922c8f4293e9dc930fc248b62aebe192c1129be13f3dadd203ef11b8656ae20d922c8fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700310031003500360039003200330030002d0033003600350039003400380038003400320032002d003500370031003400300038003800300036002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003d697fb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d6cafa1e-5611-4711-b	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f031246a-cf68-48a9-9	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9edb71ea-51dc-4140-a	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9edb71ea-51dc-4140-a = 5543182c67a4da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9edb71ea-51dc-4140-a = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f031246a-cf68-48a9-9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bccd51c8-0fda-4676-8 = "\\\\?\\Volume{B97F693D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3da27f9df8b329414ae27ed9c91d21ba4766e1aa6be54fb4d4c538375e537851"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3bd0c0fb-0c74-4c53-b = 70ccfc2d67a4da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d6cafa1e-5611-4711-b = 47e9572d67a4da01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3bd0c0fb-0c74-4c53-b	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bccd51c8-0fda-4676-8 = 63801e2c67a4da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bccd51c8-0fda-4676-8 = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f2378b3-cdf8-4461-b = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bccd51c8-0fda-4676-8 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f2378b3-cdf8-4461-b = "\\\\?\\Volume{B97F693D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3da27f9df8b329414ae27ed9c91d21ba4766e1aa6be54fb4d4c538375e537851"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bccd51c8-0fda-4676-8	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9edb71ea-51dc-4140-a = "\\\\?\\Volume{B97F693D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2a00b27b1ad9ff499e699649b2e5e9b43cf0a73c7c9d7d00018621a1f35eca21"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0f23c4d8-cd42-43a7-8 = 9455242c67a4da01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d6cafa1e-5611-4711-b	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0f23c4d8-cd42-43a7-8 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e96f1d2c67a4da01e96f1d2c67a4da01e96f1d2c67a4da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ac58ea622000373939386434623438653766636533376565333664363862663062346438646631363831643562616361393530633662663138313865633633393037646463360000b20009000400efbeac58ea62ac58ea622e00000000000000000000000000000000000000000000000000173c9f00370039003900380064003400620034003800650037006600630065003300370065006500330036006400360038006200660030006200340064003800640066003100360038003100640035006200610063006100390035003000630036006200660031003800310038006500630036003300390030003700640064006300360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000c7e721651000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37393938643462343865376663653337656533366436386266306234643864663136383164356261636139353063366266313831386563363339303764646336000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007370646f68666d6100000000000000004293e9dc930fc248b62aebe192c1129be03f3dadd203ef11b8656ae20d922c8f4293e9dc930fc248b62aebe192c1129be03f3dadd203ef11b8656ae20d922c8fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700310031003500360039003200330030002d0033003600350039003400380038003400320032002d003500370031003400300038003800300036002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003d697fb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ab10a73d-8a21-465e-8 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007344732c67a4da014286982d67a4da014286982d67a4da013f110a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ac58ea622000343862633762303665613833323263643661663831643661343530386633333733623962386238313362633939386436613232346365616265313363396639610000b20009000400efbeac58ea62ac58ea622e0000000000000000000000000000000000000000000000000022159800340038006200630037006200300036006500610038003300320032006300640036006100660038003100640036006100340035003000380066003300330037003300620039006200380062003800310033006200630039003900380064003600610032003200340063006500610062006500310033006300390066003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000c7e721651000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34386263376230366561383332326364366166383164366134353038663333373362396238623831336263393938643661323234636561626531336339663961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007370646f68666d6100000000000000004293e9dc930fc248b62aebe192c1129be53f3dadd203ef11b8656ae20d922c8f4293e9dc930fc248b62aebe192c1129be53f3dadd203ef11b8656ae20d922c8fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700310031003500360039003200330030002d0033003600350039003400380038003400320032002d003500370031003400300038003800300036002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003d697fb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ab10a73d-8a21-465e-8 = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3bd0c0fb-0c74-4c53-b = "\\\\?\\Volume{B97F693D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7998d4b48e7fce37ee36d68bf0b4d8df1681d5baca950c6bf1818ec63907ddc6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9edb71ea-51dc-4140-a	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0f23c4d8-cd42-43a7-8	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f2378b3-cdf8-4461-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0f23c4d8-cd42-43a7-8 = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f2378b3-cdf8-4461-b	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d6cafa1e-5611-4711-b = "\\\\?\\Volume{B97F693D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2a00b27b1ad9ff499e699649b2e5e9b43cf0a73c7c9d7d00018621a1f35eca21"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3bd0c0fb-0c74-4c53-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9edb71ea-51dc-4140-a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bccd51c8-0fda-4676-8	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3bd0c0fb-0c74-4c53-b	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3bd0c0fb-0c74-4c53-b = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0f23c4d8-cd42-43a7-8 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0f23c4d8-cd42-43a7-8 = "\\\\?\\Volume{B97F693D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7998d4b48e7fce37ee36d68bf0b4d8df1681d5baca950c6bf1818ec63907ddc6"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f2378b3-cdf8-4461-b = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007258672c67a4da01e702f42c67a4da01e702f42c67a4da01731507000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ac58ea622000336461323766396466386233323934313461653237656439633931643231626134373636653161613662653534666234643463353338333735653533373835310000b20009000400efbeac58ea62ac58ea622e00000000000000000000000000000000000000000000000000d700a400330064006100320037006600390064006600380062003300320039003400310034006100650032003700650064003900630039003100640032003100620061003400370036003600650031006100610036006200650035003400660062003400640034006300350033003800330037003500650035003300370038003500310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000c7e721651000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33646132376639646638623332393431346165323765643963393164323162613437363665316161366265353466623464346335333833373565353337383531000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007370646f68666d6100000000000000004293e9dc930fc248b62aebe192c1129be33f3dadd203ef11b8656ae20d922c8f4293e9dc930fc248b62aebe192c1129be33f3dadd203ef11b8656ae20d922c8fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700310031003500360039003200330030002d0033003600350039003400380038003400320032002d003500370031003400300038003800300036002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003d697fb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f031246a-cf68-48a9-9	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ab10a73d-8a21-465e-8 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bccd51c8-0fda-4676-8	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bccd51c8-0fda-4676-8 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000029ab182c67a4da0129ab182c67a4da0129ab182c67a4da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ac58ea622000336461323766396466386233323934313461653237656439633931643231626134373636653161613662653534666234643463353338333735653533373835310000b20009000400efbeac58ea62ac58ea622e00000000000000000000000000000000000000000000000000d700a400330064006100320037006600390064006600380062003300320039003400310034006100650032003700650064003900630039003100640032003100620061003400370036003600650031006100610036006200650035003400660062003400640034006300350033003800330037003500650035003300370038003500310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000c7e721651000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33646132376639646638623332393431346165323765643963393164323162613437363665316161366265353466623464346335333833373565353337383531000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007370646f68666d6100000000000000004293e9dc930fc248b62aebe192c1129bdf3f3dadd203ef11b8656ae20d922c8f4293e9dc930fc248b62aebe192c1129bdf3f3dadd203ef11b8656ae20d922c8fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700310031003500360039003200330030002d0033003600350039003400380038003400320032002d003500370031003400300038003800300036002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003d697fb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f031246a-cf68-48a9-9 = a35e272c67a4da01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9edb71ea-51dc-4140-a = "0"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0f23c4d8-cd42-43a7-8	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f031246a-cf68-48a9-9 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d6cafa1e-5611-4711-b = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008af6642c67a4da01e127392d67a4da01e127392d67a4da0161d705000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ac58ea622000326130306232376231616439666634393965363939363439623265356539623433636630613733633763396437643030303138363231613166333565636132310000b20009000400efbeac58ea62ac58ea622e000000000000000000000000000000000000000000000000005ec5a800320061003000300062003200370062003100610064003900660066003400390039006500360039003900360034003900620032006500350065003900620034003300630066003000610037003300630037006300390064003700640030003000300031003800360032003100610031006600330035006500630061003200310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000c7e721651000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32613030623237623161643966663439396536393936343962326535653962343363663061373363376339643764303030313836323161316633356563613231000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007370646f68666d6100000000000000004293e9dc930fc248b62aebe192c1129be43f3dadd203ef11b8656ae20d922c8f4293e9dc930fc248b62aebe192c1129be43f3dadd203ef11b8656ae20d922c8fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700310031003500360039003200330030002d0033003600350039003400380038003400320032002d003500370031003400300038003800300036002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003d697fb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ab10a73d-8a21-465e-8	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ab10a73d-8a21-465e-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3bd0c0fb-0c74-4c53-b = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9edb71ea-51dc-4140-a	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f031246a-cf68-48a9-9 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f2378b3-cdf8-4461-b = 191b0b2d67a4da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d6cafa1e-5611-4711-b = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3bd0c0fb-0c74-4c53-b = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000025d05d2c67a4da01676ee22d67a4da01676ee22d67a4da01e27c09000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ac58ea622000373939386434623438653766636533376565333664363862663062346438646631363831643562616361393530633662663138313865633633393037646463360000b20009000400efbeac58ea62ac58ea622e00000000000000000000000000000000000000000000000000173c9f00370039003900380064003400620034003800650037006600630065003300370065006500330036006400360038006200660030006200340064003800640066003100360038003100640035006200610063006100390035003000630036006200660031003800310038006500630036003300390030003700640064006300360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000c7e721651000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37393938643462343865376663653337656533366436386266306234643864663136383164356261636139353063366266313831386563363339303764646336000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007370646f68666d6100000000000000004293e9dc930fc248b62aebe192c1129be63f3dadd203ef11b8656ae20d922c8f4293e9dc930fc248b62aebe192c1129be63f3dadd203ef11b8656ae20d922c8fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700310031003500360039003200330030002d0033003600350039003400380038003400320032002d003500370031003400300038003800300036002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003d697fb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9edb71ea-51dc-4140-a = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a2e6132c67a4da01a2e6132c67a4da01a2e6132c67a4da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ac58ea622000326130306232376231616439666634393965363939363439623265356539623433636630613733633763396437643030303138363231613166333565636132310000b20009000400efbeac58ea62ac58ea622e000000000000000000000000000000000000000000000000005ec5a800320061003000300062003200370062003100610064003900660066003400390039006500360039003900360034003900620032006500350065003900620034003300630066003000610037003300630037006300390064003700640030003000300031003800360032003100610031006600330035006500630061003200310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000c7e721651000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32613030623237623161643966663439396536393936343962326535653962343363663061373363376339643764303030313836323161316633356563613231000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007370646f68666d6100000000000000004293e9dc930fc248b62aebe192c1129bde3f3dadd203ef11b8656ae20d922c8f4293e9dc930fc248b62aebe192c1129bde3f3dadd203ef11b8656ae20d922c8fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700310031003500360039003200330030002d0033003600350039003400380038003400320032002d003500370031003400300038003800300036002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003d697fb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f2378b3-cdf8-4461-b	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6f2378b3-cdf8-4461-b = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f031246a-cf68-48a9-9	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d6cafa1e-5611-4711-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d6cafa1e-5611-4711-b = "0"	RuntimeBroker.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 888049.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
4240	msedge.exe
4240	msedge.exe
2560	identity_helper.exe
2560	identity_helper.exe
5352	msedge.exe
5352	msedge.exe
5484	Client-built.exe
5484	Client-built.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe
3412	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	5484	Client-built.exe
Token: SeDebugPrivilege	5484	Client-built.exe
Token: SeDebugPrivilege	5484	Client-built.exe
Token: SeDebugPrivilege	3412	dllhost.exe
Token: SeDebugPrivilege	5484	Client-built.exe
Token: SeDebugPrivilege	5908	dllhost.exe
Token: SeShutdownPrivilege	5232	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	5232	mousocoreworker.exe
Token: SeShutdownPrivilege	5232	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	5232	mousocoreworker.exe
Token: SeShutdownPrivilege	3884	RuntimeBroker.exe
Token: SeShutdownPrivilege	5232	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	5232	mousocoreworker.exe
Token: SeShutdownPrivilege	5232	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	5232	mousocoreworker.exe
Token: SeShutdownPrivilege	3884	RuntimeBroker.exe
Token: SeShutdownPrivilege	5484	Client-built.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3640	RuntimeBroker.exe
2060	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 920	4240	msedge.exe	82
PID 4240 wrote to memory of 920	4240	msedge.exe	82
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 2332	4240	msedge.exe	83
PID 4240 wrote to memory of 3128	4240	msedge.exe	84
PID 4240 wrote to memory of 3128	4240	msedge.exe	84
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85
PID 4240 wrote to memory of 2068	4240	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{92244cb9-80b2-4061-86ee-34a8bd00ae02}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{479656e5-e6b1-4e08-8995-d2276ce71708}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5908

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1192
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1504
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2008

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2544

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2624

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/adi33333333334/panda/raw/main/Client-built.exe
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff61f746f8,0x7fff61f74708,0x7fff61f74718
    3⤵
    PID:920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
    3⤵
    PID:2332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
    3⤵
    PID:2068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:740
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
    3⤵
    PID:452
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5032 /prefetch:8
    3⤵
    PID:2016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
    3⤵
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5952 /prefetch:8
    3⤵
    PID:3652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
    3⤵
    PID:3060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
    3⤵
    PID:4684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
    3⤵
    PID:3492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
    3⤵
    PID:1124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,3721972530986446479,1058892116396197921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5352
- - C:\Users\Admin\Downloads\Client-built.exe
    "C:\Users\Admin\Downloads\Client-built.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5484
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Client-built.exe" /tr "'C:\Users\Admin\Downloads\Client-built.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5192
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3640

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4040

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4800

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:2060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3608

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1692

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2232

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5176

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5496

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5452

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0081de840e51038577ad8c538a5f5697

SHA1
96dadbe7e38b333e7eb45666a1c9ff53ed2ba38c

SHA256
498dc193fdb400697142cc8b04b71fdcab6030f07e8dd094117e9c6cbb08fe72

SHA512
1858b9bad1dee685616a9bf100d2aa6587ddfb24cc7e60a8d56766d249d182f93774ea5dbe397ee9ae913aa6673505e83d424b7fcc5a368c5685d9abff4d854c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d2142a65-6d53-4e72-b856-2b760c77f5c5.tmp

Filesize
5KB

MD5
54603454bb1d39d41705ae75400d1e23

SHA1
8ee65c3b46be2a2d789e034269bb0e981ee90b4a

SHA256
7da636de45d5032a36ded6bbc741b5e7a9fd4ae0b5f15209a183776c49127e96

SHA512
ba562d779112ccf0f2cd2394ea0ea2f48e3d1f9028d34ebb5b29962ba070c55574fa221d532a4688e49bcc62cf2438f6179443b3e5ce2e851d22a8a91dd38a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
67b5de09bc8eb53fbf83f6abcb73db07

SHA1
c602713076cbcee220906740379881dd592eda0e

SHA256
8d0e343914d64bf126252c4746c3e207910b2bfc2a5e2377259e1476156d8027

SHA512
e3625035616a5653ad0c2eab011219fe7bf689dab95502af74b6c20c76ada2573ed9fc786164d64095132046ab46d07aabeb15c5f8894dc166630291a5d8193b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ede6ab8f1f8c0e9efc765eb665c4038e

SHA1
5e3a1e571feab06c07ea5f7f35272f843dac3d21

SHA256
9f2f0564c21dbf8c5b7185f0c54f12e992a53b04947c28323506626afcea85d5

SHA512
1f8f35412bd0afb0aa54ba452200b9f1e6d99fee5e0071ae37d145d0a0e4eca157bd48f932610ff7a56e05c0d4834df2ed17cf07aab56ca07f988abbf57cbe36

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 888049.crdownload

Filesize
78KB

MD5
2203f35650f3c3356116c0bc4012699e

SHA1
ca37979cca3e4d0043af8abddb3c40d69da1f400

SHA256
05e1e92373e97d5a5777af35955eaeb08db1d9313db75a83b5f9d87de83a5b7d

SHA512
fffe795f4c36806ee8c7138e756ec7a895c88fa41589f44f3bffbe01a3d413785fd9d173079ff80f3cdd94ea7ae7a993e2565f66252dc1a7ba708778e446cf13

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
memory/332-164-0x0000020E16240000-0x0000020E1626A000-memory.dmp

Filesize
168KB

Download
memory/332-165-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/536-169-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/536-168-0x000001E7419B0000-0x000001E7419DA000-memory.dmp

Filesize
168KB

Download
memory/616-154-0x0000014C64EA0000-0x0000014C64EC3000-memory.dmp

Filesize
140KB

Download
memory/616-156-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/616-155-0x0000014C65270000-0x0000014C6529A000-memory.dmp

Filesize
168KB

Download
memory/672-159-0x000001BEAAD90000-0x000001BEAADBA000-memory.dmp

Filesize
168KB

Download
memory/672-160-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/724-180-0x0000022100930000-0x000002210095A000-memory.dmp

Filesize
168KB

Download
memory/724-181-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/956-171-0x000001ABA1120000-0x000001ABA114A000-memory.dmp

Filesize
168KB

Download
memory/956-172-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/1048-183-0x000001D091890000-0x000001D0918BA000-memory.dmp

Filesize
168KB

Download
memory/1048-184-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/1068-186-0x00000275CE540000-0x00000275CE56A000-memory.dmp

Filesize
168KB

Download
memory/1068-187-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/1168-189-0x0000019906400000-0x000001990642A000-memory.dmp

Filesize
168KB

Download
memory/1168-190-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/1192-193-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/1192-192-0x000002CAB2F60000-0x000002CAB2F8A000-memory.dmp

Filesize
168KB

Download
memory/1260-195-0x0000021394960000-0x000002139498A000-memory.dmp

Filesize
168KB

Download
memory/1260-196-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/1324-202-0x000001BF53570000-0x000001BF5359A000-memory.dmp

Filesize
168KB

Download
memory/1324-203-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/1432-205-0x0000016C93190000-0x0000016C931BA000-memory.dmp

Filesize
168KB

Download
memory/1432-206-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/1448-209-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/1448-208-0x00000208D1370000-0x00000208D139A000-memory.dmp

Filesize
168KB

Download
memory/3412-152-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3412-149-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3412-150-0x00007FFF70790000-0x00007FFF70985000-memory.dmp

Filesize
2.0MB

Download
memory/3412-151-0x00007FFF6F350000-0x00007FFF6F40E000-memory.dmp

Filesize
760KB

Download
memory/3412-148-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5484-146-0x00007FFF70790000-0x00007FFF70985000-memory.dmp

Filesize
2.0MB

Download
memory/5484-147-0x00007FFF6F350000-0x00007FFF6F40E000-memory.dmp

Filesize
760KB

Download
memory/5484-145-0x000001D753F50000-0x000001D753F8E000-memory.dmp

Filesize
248KB

Download
memory/5484-102-0x000001D753F10000-0x000001D753F2E000-memory.dmp

Filesize
120KB

Download
memory/5484-101-0x000001D73B5B0000-0x000001D73B5C2000-memory.dmp

Filesize
72KB

Download
memory/5484-100-0x000001D7542F0000-0x000001D754366000-memory.dmp

Filesize
472KB

Download
memory/5484-81-0x000001D7547A0000-0x000001D754CC8000-memory.dmp

Filesize
5.2MB

Download
memory/5484-80-0x000001D753FA0000-0x000001D754162000-memory.dmp

Filesize
1.8MB

Download
memory/5484-79-0x000001D739960000-0x000001D739978000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads