Malware Analysis Report

2025-01-19 07:30

Sample ID 231031-kwnpxade6s
Target NEAS.accc17f3d435ca7f42ef85350778ef10.exe
SHA256 a9ff6094d450c265a3d3cc5e31f03209650a57edd809636300ea482a31652987
Tags
tinba banker persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9ff6094d450c265a3d3cc5e31f03209650a57edd809636300ea482a31652987

Threat Level: Known bad

The file NEAS.accc17f3d435ca7f42ef85350778ef10.exe was found to be: Known bad.

Malicious Activity Summary

tinba banker persistence trojan upx

Tinba / TinyBanker

UPX packed file

Adds Run key to start application

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 08:57

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 08:57

Reported

2023-10-31 11:25

Platform

win10v2004-20231023-en

Max time kernel

168s

Max time network

188s

Command Line

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

Signatures

Tinba / TinyBanker

trojan banker tinba

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D669E8BA = "C:\\Users\\Admin\\AppData\\Roaming\\D669E8BA\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache C:\Windows\system32\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache C:\Windows\system32\backgroundTaskHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3916 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe C:\Windows\SysWOW64\winver.exe
PID 3916 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe C:\Windows\SysWOW64\winver.exe
PID 3916 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe C:\Windows\SysWOW64\winver.exe
PID 3916 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe C:\Windows\SysWOW64\winver.exe
PID 3764 wrote to memory of 3232 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 2336 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\sihost.exe
PID 3764 wrote to memory of 2352 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 3764 wrote to memory of 2484 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\taskhostw.exe
PID 3764 wrote to memory of 3232 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 3764 wrote to memory of 3436 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 3764 wrote to memory of 3652 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 3868 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3764 wrote to memory of 3928 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 3764 wrote to memory of 4020 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3764 wrote to memory of 2116 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 3764 wrote to memory of 5048 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 3764 wrote to memory of 4184 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3764 wrote to memory of 1300 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3764 wrote to memory of 3772 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3764 wrote to memory of 4960 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 3764 wrote to memory of 1528 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 3764 wrote to memory of 4384 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 3764 wrote to memory of 4976 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3764 wrote to memory of 3704 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 3684 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 5032 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 3764 wrote to memory of 4936 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 1712 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 692 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 3764 wrote to memory of 4444 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 1944 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 3504 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 1432 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 2428 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 3764 wrote to memory of 592 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 3764 wrote to memory of 2908 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 1768 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 2372 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 3764 wrote to memory of 1996 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 3764 wrote to memory of 408 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3764 wrote to memory of 4152 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 3764 wrote to memory of 1104 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\winver.exe

winver

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3652 -s 976

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3684 -s 748

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4936 -s 680

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3504 -s 964

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1432 -s 840

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1768 -s 784

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2908 -s 680

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 408 -s 476

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 spaines.pw udp
US 216.218.185.162:80 spaines.pw tcp
US 8.8.8.8:53 162.185.218.216.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/3916-0-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3916-1-0x0000000002160000-0x0000000002161000-memory.dmp

memory/3916-2-0x0000000002250000-0x0000000002C50000-memory.dmp

memory/3232-3-0x0000000000B00000-0x0000000000B06000-memory.dmp

memory/3232-5-0x0000000000B00000-0x0000000000B06000-memory.dmp

memory/3764-4-0x00000000013A0000-0x00000000013A6000-memory.dmp

memory/3232-6-0x00007FF81F38D000-0x00007FF81F38E000-memory.dmp

memory/3764-7-0x0000000077172000-0x0000000077173000-memory.dmp

memory/3916-8-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3916-10-0x0000000002250000-0x0000000002C50000-memory.dmp

memory/3764-12-0x00000000013A0000-0x00000000013A6000-memory.dmp

memory/2352-14-0x0000000000BA0000-0x0000000000BA6000-memory.dmp

memory/2336-15-0x0000000000EA0000-0x0000000000EA6000-memory.dmp

memory/2352-19-0x0000000000BA0000-0x0000000000BA6000-memory.dmp

memory/3232-18-0x0000000002A90000-0x0000000002A96000-memory.dmp

memory/2352-17-0x00007FF81F38D000-0x00007FF81F38E000-memory.dmp

memory/2484-16-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2484-21-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3436-20-0x0000000000110000-0x0000000000116000-memory.dmp

memory/3436-25-0x0000000000110000-0x0000000000116000-memory.dmp

memory/3928-26-0x00000000008E0000-0x00000000008E6000-memory.dmp

memory/3868-24-0x0000000000350000-0x0000000000356000-memory.dmp

memory/3652-23-0x0000000000390000-0x0000000000396000-memory.dmp

memory/3232-22-0x0000000002A90000-0x0000000002A96000-memory.dmp

memory/3868-27-0x0000000000350000-0x0000000000356000-memory.dmp

memory/3928-28-0x00000000008E0000-0x00000000008E6000-memory.dmp

memory/4020-29-0x0000000000810000-0x0000000000816000-memory.dmp

memory/2116-30-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

memory/5048-31-0x0000000000520000-0x0000000000526000-memory.dmp

memory/5048-34-0x0000000000520000-0x0000000000526000-memory.dmp

memory/4184-33-0x0000000000E70000-0x0000000000E76000-memory.dmp

memory/2116-32-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

memory/4184-35-0x0000000000E70000-0x0000000000E76000-memory.dmp

memory/1300-36-0x0000000000810000-0x0000000000816000-memory.dmp

memory/3772-37-0x0000000000580000-0x0000000000586000-memory.dmp

memory/4960-38-0x0000000000A80000-0x0000000000A86000-memory.dmp

memory/1528-39-0x0000000000F20000-0x0000000000F26000-memory.dmp

memory/4960-40-0x0000000000A80000-0x0000000000A86000-memory.dmp

memory/1528-41-0x0000000000F20000-0x0000000000F26000-memory.dmp

memory/4384-42-0x0000000000830000-0x0000000000836000-memory.dmp

memory/4384-43-0x0000000000830000-0x0000000000836000-memory.dmp

memory/3232-56-0x00007FF81F510000-0x00007FF81F511000-memory.dmp

memory/4384-58-0x00007FF81F500000-0x00007FF81F501000-memory.dmp

memory/4384-63-0x00007FF81F510000-0x00007FF81F511000-memory.dmp

memory/1528-70-0x00007FF81F500000-0x00007FF81F501000-memory.dmp

memory/1528-71-0x00007FF81F520000-0x00007FF81F521000-memory.dmp

memory/4976-72-0x0000000000930000-0x0000000000936000-memory.dmp

memory/4976-73-0x00007FF81F38D000-0x00007FF81F38E000-memory.dmp

memory/4976-74-0x00007FF81F520000-0x00007FF81F521000-memory.dmp

memory/1528-75-0x00007FF81F510000-0x00007FF81F511000-memory.dmp

memory/3704-77-0x0000000000540000-0x0000000000546000-memory.dmp

memory/3684-78-0x0000000000B00000-0x0000000000B06000-memory.dmp

memory/3684-79-0x000001F6C8DA0000-0x000001F6C8DA8000-memory.dmp

memory/3684-81-0x000001F6C8F70000-0x000001F6C8F78000-memory.dmp

memory/3684-82-0x000001F6C8F60000-0x000001F6C8F61000-memory.dmp

memory/3684-84-0x000001F6C8DB0000-0x000001F6C8DB8000-memory.dmp

memory/3684-87-0x000001F6C8D70000-0x000001F6C8D78000-memory.dmp

memory/3684-90-0x000001F6C8B20000-0x000001F6C8B21000-memory.dmp

memory/3868-91-0x00007FF81F500000-0x00007FF81F501000-memory.dmp

memory/5032-93-0x0000000000990000-0x0000000000996000-memory.dmp

memory/5032-94-0x0000000000990000-0x0000000000996000-memory.dmp

memory/4976-97-0x0000000000930000-0x0000000000936000-memory.dmp

memory/4936-98-0x00000000004D0000-0x00000000004D6000-memory.dmp

memory/3232-107-0x00007FF81F520000-0x00007FF81F521000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\35f06457b69946929ae5a8548ab9fbcd_1

MD5 33125389b5dcfcf858c72e6eb444503d
SHA1 f85b6d3132f635106f423d7b5fd9981a836447fc
SHA256 dbaef75680d3a139331328c2ae3ba78ba4ec441488ae30009786bd23b05fa3db
SHA512 c858ea4d5ce33230d16568f2b2e2d07b037b76d5e636841c8c781976024527064e83721b66492126bea81189b60bb4927728d035a23c133821aaad719b8446dd

memory/1712-109-0x0000000000D70000-0x0000000000D76000-memory.dmp

memory/692-110-0x00000000008D0000-0x00000000008D6000-memory.dmp

memory/692-111-0x00000000008D0000-0x00000000008D6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 c20599abab693db3162893bd1561c4df
SHA1 8f4e1d9786391f7bf4fd586184a37be1ff6b28a7
SHA256 594f740205677469fedbaae4f8e0d87641cdf1da4c98c2ff346ccc378fe9e938
SHA512 16b33f32bff97cbe427d643d9e2c5c78b48c8044b42d48a47c85fcacda305f4e2311b6c258978326888f8ad3159ca679bd02d7203799b983a61a4105c4b3b491

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\c6e99513f531488bbe34ed5b6b16e932_1

MD5 7d0fb75f151fa106c77afd2768e16742
SHA1 483b915ad567d4257ee9aa58ace1214135f94fd1
SHA256 0422600ff8448242e01ba8b992f30174024acce5770ad72d4e3d102a90a47523
SHA512 2a5ed0e951a9b21ca8a5a7609b732b183f08b9464ba2fe619aec15a3d69f1327c90c16133930b477f928a7def9675d2abfb11e2eb1108af96ca9e4fd4353dee1

memory/692-115-0x00007FF81F500000-0x00007FF81F501000-memory.dmp

memory/4976-116-0x00007FF81F510000-0x00007FF81F511000-memory.dmp

memory/692-119-0x00007FF81F510000-0x00007FF81F511000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 bdfb901af5dfecf734dd1d744225c647
SHA1 90e0b83d02dbbc8d26102a3fb54989874b213af1
SHA256 b5eb2936f9d384868b0526baf079f12167d1d86e66b945c97f6d34921e0be8da
SHA512 f2dd1dfdf9284c7ec57d06b26ddbde471d4c5d344ab3e71f1377fb387a40b73e648e78103805e71924b0aa6758ebdac31fe664f532f52b71f1184be038544f4f

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

MD5 ff594c2da440bf503c44e7e65be176b0
SHA1 36ba4207aec5e8cee88bc1487c1e32ed09577d47
SHA256 14d0490e23ea3413f9449426e3939fe35e9fb85b2a05ba72b67268b2eaa60fe8
SHA512 48528d71c1981a452146c6f1aa971335df917a86cdcc6dfceee7913d0244cd7c1fce695dff5044cfb93deb87de5d0441a2ec17476217fef2951ac9a63bcdd91f

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

MD5 aedb955135ac38369961ccd268d6bdc0
SHA1 8d7e1f57a8b5a7293ac4b30ca7fdad041228cd64
SHA256 8412b8a5ec46c3e12885cdde34affd2803aa59564e9a276335f46fd6690882a8
SHA512 47d1efa6d3b1228255a22b29402e00396518f71e78b7d6225f9ad13eddcd52b6cdb249626994b94e1046f8b876acbe4661984c140d8edd680cab70dd1f746ca3

memory/1712-133-0x00000268EAEE0000-0x00000268EAEE8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 fa14f5919d13b6f76c0424e8fa2a7ac0
SHA1 7caf8bc3e02284196666b2223023d52e1464cd97
SHA256 844c93007a2e5f8251b3a2faab46614c9c17b801fa6416d014f141e50be3a11f
SHA512 a977fc83acc674ef8dccd10b29c3245ed165d04f37e21266b7f2f90f2fa1557e2c2fd71dd44e728260c871f877b2f90760fe25abf843f72d6fd7e260addfc949

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 567115061138eaa628c6920003f2f4c2
SHA1 e283fa5ec5ccbb36f6ad62edd66ba04fcbf883ba
SHA256 23b73a5501052dde5fef333011b42c474268094ced38c3265b3efb47fd195c1d
SHA512 84e54ec7f2c1cdf6de0ae96c61a6d37c4b25fccb80649e928f6dd317d8099d4e8ee388bbf1d36048dbeb907eb49345614435b5df49a6e5c7e7e3929bfe5326c2

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\d58b8929a7e94b2690769bcd4003b61d_1

MD5 2b3c1f3e767f5f6a9537a90bc2b94469
SHA1 f81811cf6fa1721ac93103b311c80f970502e0dd
SHA256 604b514c20cab087e0f13bba78412434cdd99dd81654dc7ccd338f7b67360086
SHA512 e6c62a67187444ca2b89f4d9896b829f85b1929f2e5ba212ae4abfd4e7432094771e489e8667fde403a7f5c333ce0b9be15c542a5324a8192472b72c1ccb3a12

memory/4444-152-0x0000000000930000-0x0000000000936000-memory.dmp

memory/1944-153-0x0000000000F00000-0x0000000000F06000-memory.dmp

memory/1944-156-0x0000018508190000-0x0000018508198000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

MD5 1bac617d3a778de867dd2a4009dcdeff
SHA1 3a4abb1192f42eeab1508522809a0283a72fe262
SHA256 be1030604f5e462bca2b58ae591fd682c4df0ba176189308fa09435a1b04d150
SHA512 60538d286b140f17c53281640e069a534c8803e747b203beb2cc4e93f62d920937f7b9ad6bc1078c5d65ef8d92bba06a3eba45528d549b010db82bba405647e8

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 26615be593f31b0cdf62227e7a82f42c
SHA1 6a7b15c301d6cb9bdae3f684111c6124badbcb02
SHA256 41a2023ddba6d1fb1ee6cd163f4f0c1cfbe7c12c880c09452b6fb49577f2d974
SHA512 b9078fd12bcaf920a25df75f1d3505c358fc9092e11b91c0089866c438dc45009640a4493971ac4a5933e00303eef1a5b277528649ce77d2c99f6a1bf0a6761d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 a00786b2f6a13d9a4259127d477b3394
SHA1 953012f1201952b54d0cc08f2b7217d1f4c99cb8
SHA256 e5e8d8782a338cfa802305616f3eb98577540d9ab55349fe763ff4b172bae9eb
SHA512 855b7f857a06d6f0b407cd2e91f3d8815f2bc59be8d1db89c6c2bcd019dbfe5fa8c50fa7984e25c383479fdce90e4aea9154abe923dde91515c3195c79a72d3d

memory/3928-170-0x00007FF81F500000-0x00007FF81F501000-memory.dmp

memory/3928-171-0x00007FF81F520000-0x00007FF81F521000-memory.dmp

memory/3928-172-0x00007FF81F510000-0x00007FF81F511000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\c6e99513f531488bbe34ed5b6b16e932_1

MD5 7d0fb75f151fa106c77afd2768e16742
SHA1 483b915ad567d4257ee9aa58ace1214135f94fd1
SHA256 0422600ff8448242e01ba8b992f30174024acce5770ad72d4e3d102a90a47523
SHA512 2a5ed0e951a9b21ca8a5a7609b732b183f08b9464ba2fe619aec15a3d69f1327c90c16133930b477f928a7def9675d2abfb11e2eb1108af96ca9e4fd4353dee1

memory/3868-174-0x00007FF81F510000-0x00007FF81F511000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698751441

MD5 d92d6f6e558feeba04ae607f32188797
SHA1 4614886948c786fb11624565d286a0e335341258
SHA256 92a7a42c67ab43f34d394b64ddbb701e5d618ccea260a09beb99ec393a0775e1
SHA512 eaefe61a85a5fcce8753ddffed60746d81ed29e9969b769d83960ad9be81ecdf75536fd0b8b5d835efcb892c9ca5a96e2e7f6be89b7003188479d5213641d228

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698751441

MD5 e182d1ceeee02759bf30d0ab0471e5c5
SHA1 5b85aff1f2da0bf1eb42ee442da570eb4ebdaed0
SHA256 d80804e13522c8140203f27439a369b1e36ee72c2f31996c3d0123a7e67ab508
SHA512 ef5ac398f405ca622126e2c641dc91cd7967636e3de44b4f7b691c902543b6c2559d422f355cce17d16e4da797c5fe19268e34be370f8750fe2aba0ed09703d9

memory/2428-213-0x00000000007C0000-0x00000000007C6000-memory.dmp

memory/592-214-0x0000000000F90000-0x0000000000F96000-memory.dmp

memory/2428-217-0x00007FF81F500000-0x00007FF81F501000-memory.dmp

memory/2428-220-0x00007FF81F510000-0x00007FF81F511000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1698751441

MD5 777209cdaa197c93b9e70f0e135ad685
SHA1 9c86b9a6d558b0525f2225b500a445a85d28855f
SHA256 2f69e9030e463f6597a9132d409791991923be4417d03a38431f5664bc5fddb2
SHA512 afe14117aebc963339acf7c28b899d7cf6eaf481fe1c78bbe6e2890e7cfeba7bb754a93df2c597e578ea043bbf3685eb40d231446be32ab915ea95df2848b511

memory/2372-237-0x00000000007A0000-0x00000000007A6000-memory.dmp

memory/1996-238-0x0000000000BA0000-0x0000000000BA6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

MD5 db6420205e67a7e4cd909a3437f19fd5
SHA1 4731b8e45630d4bd8695583b009b0244df605212
SHA256 a909e1e60243ef87832aa34086ff9d5d0ecc5092f3d6336127c1c5bea5ff302b
SHA512 91a01781c42d6468fd419659e69e3368ae67ff7be5c7df4fe48eaeb13431d4e2746c0010ce1a00130363c25bb68433f65797ccdfc353db73d7e7b9e9be65ddd8

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 7f58b298af3db6f5aea3e30aa8173c70
SHA1 9beb02a67b6a482bbc24499852106c0744e39c39
SHA256 5022e027871d4732f128ccd7955c7bb302a5d63562bcdbe61136ace5902f90d9
SHA512 a9bb56533f508637cd6ab9b424a3da6303d8a942e3f65e5c8dead053f936d43d0c030b629d69dd765e814414f77819264159befca3153a73dbbc56e6ef7b8a22

memory/4152-249-0x00000000002A0000-0x00000000002A6000-memory.dmp

memory/4152-251-0x00000000002A0000-0x00000000002A6000-memory.dmp

memory/1104-259-0x00000000008F0000-0x00000000008F6000-memory.dmp

memory/1104-260-0x00007FF81F510000-0x00007FF81F511000-memory.dmp

memory/1104-261-0x00007FF81F500000-0x00007FF81F501000-memory.dmp

memory/1104-262-0x00007FF81F520000-0x00007FF81F521000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698751441

MD5 e182d1ceeee02759bf30d0ab0471e5c5
SHA1 5b85aff1f2da0bf1eb42ee442da570eb4ebdaed0
SHA256 d80804e13522c8140203f27439a369b1e36ee72c2f31996c3d0123a7e67ab508
SHA512 ef5ac398f405ca622126e2c641dc91cd7967636e3de44b4f7b691c902543b6c2559d422f355cce17d16e4da797c5fe19268e34be370f8750fe2aba0ed09703d9

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698751441

MD5 d92d6f6e558feeba04ae607f32188797
SHA1 4614886948c786fb11624565d286a0e335341258
SHA256 92a7a42c67ab43f34d394b64ddbb701e5d618ccea260a09beb99ec393a0775e1
SHA512 eaefe61a85a5fcce8753ddffed60746d81ed29e9969b769d83960ad9be81ecdf75536fd0b8b5d835efcb892c9ca5a96e2e7f6be89b7003188479d5213641d228

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000045\e0bee7a87144477691d16ad010aabda5_1

MD5 3976ce2fbf0e4176ae1b98488e64379f
SHA1 96f428eb2142b24380377962f810f6c197954740
SHA256 2862d16805330483a404ad4d992c25dbdd056419dfbf5ff65806accf545f2647
SHA512 76ec1e05eb6d3a496f67c7d23db884d5a9969f439e6ce8cec943363af83a7bdb6f02ac017ab82e3b03d370cef4e94611a4d184ae59c0ac5017b7ac346e1bea38

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\c9a0a1cfbbb84ed0b32d4769a7d5327a_1

MD5 68362d456116db4b16691c82cfa1b600
SHA1 38763f9d1c9ebab786e47041cccd6de5f6de9e7a
SHA256 1ffba4c61713ddb0196e85320aacacccd04b6f9109a6a4f6b83b20f2baad61bc
SHA512 b9d5f17e855e652f24e17022a835057bc5fabe8039b0b16963836e586558ac2dfa38edd101b9496f237e2aa34dc051a360cc5b02b4974d9679658feb58fa26da

memory/1104-276-0x00000000008F0000-0x00000000008F6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 08:57

Reported

2023-10-31 11:24

Platform

win7-20231020-en

Max time kernel

150s

Max time network

156s

Command Line

"taskhost.exe"

Signatures

Tinba / TinyBanker

trojan banker tinba

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\81307C31 = "C:\\Users\\Admin\\AppData\\Roaming\\81307C31\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe"

C:\Windows\SysWOW64\winver.exe

winver

Network

Country Destination Domain Proto
US 8.8.8.8:53 spaines.pw udp
US 216.218.185.162:80 spaines.pw tcp
US 8.8.8.8:53 uyhgqunqkxnx.pw udp
NL 192.42.116.41:80 uyhgqunqkxnx.pw tcp
US 8.8.8.8:53 vcklmnnejwxx.pw udp
US 216.218.185.162:80 vcklmnnejwxx.pw tcp

Files

memory/1732-0-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1732-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1732-3-0x0000000001D60000-0x0000000002760000-memory.dmp

memory/1216-2-0x0000000002B20000-0x0000000002B26000-memory.dmp

memory/2900-4-0x0000000000140000-0x0000000000146000-memory.dmp

memory/1216-6-0x0000000002B20000-0x0000000002B26000-memory.dmp

memory/2900-10-0x0000000077010000-0x0000000077011000-memory.dmp

memory/1216-11-0x0000000076E61000-0x0000000076E62000-memory.dmp

memory/2900-9-0x000000007700F000-0x0000000077011000-memory.dmp

memory/2900-8-0x000000007700F000-0x0000000077010000-memory.dmp

memory/2900-7-0x0000000000430000-0x0000000000446000-memory.dmp

memory/1732-12-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1732-13-0x0000000001D60000-0x0000000002760000-memory.dmp

memory/2900-15-0x0000000000140000-0x0000000000146000-memory.dmp

memory/2900-16-0x0000000000190000-0x0000000000191000-memory.dmp

memory/1216-17-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

memory/1104-21-0x0000000001BC0000-0x0000000001BC6000-memory.dmp

memory/1104-22-0x0000000076E61000-0x0000000076E62000-memory.dmp

memory/2900-24-0x0000000000140000-0x0000000000146000-memory.dmp

memory/1152-26-0x0000000001AC0000-0x0000000001AC6000-memory.dmp

memory/1216-27-0x0000000002B70000-0x0000000002B76000-memory.dmp

memory/1216-28-0x0000000002B70000-0x0000000002B76000-memory.dmp

memory/2900-32-0x00000000001A0000-0x00000000001A1000-memory.dmp